(See my other mail on the subject here: http://redhat.com/archives/fedora-test-list/2007-March/msg00295.html )
Something in selinux-policy-2.5.8-4.fc7 (and I think -3 as well) is denying ldconfig permission to create symlinks in /tmp. mkinitrd uses ldconfig to set up the symlinks in the initrd it creates (in a temp dir under /tmp), so then nash won't load (missing ld-linux.so.2), so your system won't boot.
Here's the relevant info, triggered when installing a new kernel (which runs mkinitrd):
avc: denied { create } for comm="ldconfig" egid=0 euid=0 exe="/sbin/ldconfig" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="ld-linux.so.2" pid=4613 scontext=user_u:system_r:ldconfig_t:s0 sgid=0 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=lnk_file tcontext=user_u:object_r:rpm_script_tmp_t:s0 tty=(none) uid=0
Hope this helps,
-w
On Fri, 2007-03-16 at 12:20 -0400, Will Woods wrote:
Here's the relevant info, triggered when installing a new kernel (which runs mkinitrd):
avc: denied { create } for comm="ldconfig" egid=0 euid=0 exe="/sbin/ldconfig" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="ld-linux.so.2" pid=4613 scontext=user_u:system_r:ldconfig_t:s0 sgid=0 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=lnk_file tcontext=user_u:object_r:rpm_script_tmp_t:s0 tty=(none) uid=0
Hope this helps,
-w
Hello to all,
Ive been following this issue on several other list and here is what seems to be the problem as far as some FedoraProject see's the issue..
Look at -> http://fedoraproject.org/wiki/F7Test2/ReleaseNotes
-> [Problems with mkinitrd]
they mention the rpm ordering issue and updating anaconda via an .img pkg
This is my first mail to the list, glad to be here.
Kind Regards, Euman
On Fri, 2007-03-16 at 14:06 -0400, Euman wrote:
Ive been following this issue on several other list and here is what seems to be the problem as far as some FedoraProject see's the issue..
Look at -> http://fedoraproject.org/wiki/F7Test2/ReleaseNotes
-> [Problems with mkinitrd]
they mention the rpm ordering issue and updating anaconda via an .img pkg
That's a different bug.
That bug is a problem with the installer trying to install the mkinitrd package - it would sometimes get stuck in an infinite loop on 64-bit machines.
My problem is that the SELinux policy is denying mkinitrd some permissions it needs to be able to create a working initrd.
Or, rather, it *was* - it seems to work with selinux-policy-2.5.8-5.fc7. The changelog mentions prelink, not ldconfig, so I'm not sure what actually changed and whether the problem is really fixed or if I'm just not seeing it now.
How could I get a diff between the two policies?
Thanks,
-w
On Fri, 2007-03-16 at 18:26 +0000, Will Woods wrote:
My problem is that the SELinux policy is denying mkinitrd some permissions it needs to be able to create a working initrd.
Or, rather, it *was* - it seems to work with selinux-policy-2.5.8-5.fc7. The changelog mentions prelink, not ldconfig, so I'm not sure what actually changed and whether the problem is really fixed or if I'm just not seeing it now.
Whoops, strike that - I didn't get an setroubleshoot popup, but the initrd is still broken.
-w
On Fri, 2007-03-16 at 18:26 +0000, Will Woods wrote:
On Fri, 2007-03-16 at 14:06 -0400, Euman wrote:
Ive been following this issue on several other list and here is what seems to be the problem as far as some FedoraProject see's the issue..
Look at -> http://fedoraproject.org/wiki/F7Test2/ReleaseNotes
-> [Problems with mkinitrd]
they mention the rpm ordering issue and updating anaconda via an .img pkg
That's a different bug.
That bug is a problem with the installer trying to install the mkinitrd package - it would sometimes get stuck in an infinite loop on 64-bit machines.
My problem is that the SELinux policy is denying mkinitrd some permissions it needs to be able to create a working initrd.
Or, rather, it *was* - it seems to work with selinux-policy-2.5.8-5.fc7. The changelog mentions prelink, not ldconfig, so I'm not sure what actually changed and whether the problem is really fixed or if I'm just not seeing it now.
How could I get a diff between the two policies?
If you want a comparison of the actual kernel binary policies, you can use sediff from setools to display a semantic diff of them.
On Fri, 2007-03-16 at 12:20 -0400, Will Woods wrote:
(See my other mail on the subject here: http://redhat.com/archives/fedora-test-list/2007-March/msg00295.html )
Something in selinux-policy-2.5.8-4.fc7 (and I think -3 as well) is denying ldconfig permission to create symlinks in /tmp. mkinitrd uses ldconfig to set up the symlinks in the initrd it creates (in a temp dir under /tmp), so then nash won't load (missing ld-linux.so.2), so your system won't boot.
Here's the relevant info, triggered when installing a new kernel (which runs mkinitrd):
avc: denied { create } for comm="ldconfig" egid=0 euid=0 exe="/sbin/ldconfig" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="ld-linux.so.2" pid=4613 scontext=user_u:system_r:ldconfig_t:s0 sgid=0 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=lnk_file tcontext=user_u:object_r:rpm_script_tmp_t:s0 tty=(none) uid=0
We shouldn't allow ldconfig to create files with rpm_script_tmp_t (private temporary file type for rpm scriptlets), so something is wrong here. How is the parent directory created?
On Mon, 2007-03-19 at 09:09 -0400, Stephen Smalley wrote:
On Fri, 2007-03-16 at 12:20 -0400, Will Woods wrote:
Here's the relevant info, triggered when installing a new kernel
(which
runs mkinitrd):
avc: denied { create } for comm="ldconfig" egid=0 euid=0 exe="/sbin/ldconfig" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="ld-linux.so.2" pid=4613 scontext=user_u:system_r:ldconfig_t:s0 sgid=0 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=lnk_file tcontext=user_u:object_r:rpm_script_tmp_t:s0 tty=(none) uid=0
We shouldn't allow ldconfig to create files with rpm_script_tmp_t (private temporary file type for rpm scriptlets), so something is wrong here. How is the parent directory created?
It's created by 'mktemp -d' in mkinitrd:
MNTIMAGE=`mktemp -d ${TMPDIR}/initrd.XXXXXX` [create directory layout in $MNTIMAGE] mkdir -p $MNTIMAGE/lib/firmware [copy binaries and libraries into $MNTIMAGE] /sbin/ldconfig -r "$MNTIMAGE"
This is running as part of the kernel RPM's %post script, so it makes some sense that the target would have a context of rpm_script_tmp_t.
As you can see, mkinitrd *does* require that ldconfig be able to create symlinks with rpm_script_tmp_t (or some other tmp_t). Otherwise we end up with non-bootable initrds, which is what we're seeing in rawhide right now.
-w
On Mon, 2007-03-19 at 16:21 -0400, Will Woods wrote:
As you can see, mkinitrd *does* require that ldconfig be able to create symlinks with rpm_script_tmp_t (or some other tmp_t). Otherwise we end up with non-bootable initrds, which is what we're seeing in rawhide right now.
dwalsh built a new selinux-policy package (2.5.8-8.fc7) which fixes this problem for me. The new package should be public in rawhide tomorrow, so we'll find out for sure if it's fixed then.
Thanks for all your help, folks!
-w
selinux@lists.fedoraproject.org
-
Euman -
Stephen Smalley -
Will Woods