Newer upcoming versions of mkinitrd copy kernel modules into /tmp/somewhere/lib/modules/VERSION/ then run depmod on that to create its own lib/modules/VERSION/modules.* files. Unfortunately, SELinux prevents depmod from operating when this happens from RPM. But a subsequent attempt from a root shell succeeds. [root@newcaprica tmp]# rpm -ivh kernel-2.6.24-0.73.rc4.git1.fc9.x86_64.rpm Preparing... ########################################### [100%] 1:kernel ########################################### [100%] WARNING: Couldn't open directory /tmp/initrd.pT5107/lib/modules/2.6.24-0.73.rc4.git1.fc9: Permission denied FATAL: Could not open /tmp/initrd.pT5107/lib/modules/2.6.24-0.73.rc4.git1.fc9/modules.dep.temp for writing: Permission denied type=AVC msg=audit(1196890268.201:30): avc: denied { search } for pid=8659 comm="depmod" name="tmp" dev=dm-3 ino=2097153 scontext=system_u:system_r:depmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1196890268.201:30): arch=c000003e syscall=2 success=no exit=-13 a0=61d0a0 a1=90800 a2=0 a3=3b9c1529f0 items=0 ppid=4789 pid=8659 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="depmod" exe="/sbin/depmod" subj=system_u:system_r:depmod_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1196890268.201:31): avc: denied { search } for pid=8659 comm="depmod" name="tmp" dev=dm-3 ino=2097153 scontext=system_u:system_r:depmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1196890268.201:31): arch=c000003e syscall=2 success=no exit=-13 a0=7fff40742450 a1=241 a2=1b6 a3=240 items=0 ppid=4789 pid=8659 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="depmod" exe="/sbin/depmod" subj=system_u:system_r:depmod_t:s0-s0:c0.c1023 key=(null) How can we allow this to succeed?
Fixed in selinux-policy-3.0.8-66.fc8
Bulk closing all bugs in Fedora updates in the modified state. If you bug is not fixed, please reopen.