On systems running SELinux in enforcing mode, the boot sequence will indicate errors similar to the following: rm: cannot remove `lib64/rc/console': Permission denied chmod: changing permissions of `/tmp': Permission denied These errors appear to be largely cosmetic, as the system continues to boot just fine. Reproducible: Always Steps to Reproduce: 1. Configure SELinux system with v2ref profile in enforcing mode 2. Boot said system 3. Actual Results: Errors displayed on boot console Expected Results: No errors displayed on boot console During startup, the bootmisc init script attempts to completely delete the $RC_LIBEXECDIR/console directory (thereby destroying the contents as well). During later initialization, the consolefont and keymaps init scripts recreate (if necessary) and populate this directory. The selinux policy does not allow these actions for the init process on the lib dirs, including $RC_LIBEXECDIR/console. Any/all of these actions may result in the first error above being displayed to the console. In addition, bootmisc attemmpts to clean the /tmp dir. As part of this process, it attempts to change the attributs of the /tmp dir with 'chmod a+rwt'. Since /tmp is part of the root file system, the selinux policy does not allow this, and the second error above is displayed to the console. The attached patch changes bootmisc to only delete the CONTENTS of $RC_LIBEXECDIR/console, rather than $RC_LIBEXECDIR/console itself. In addition, I am proposing a change in upstream selinux policy which will change the selinux type on the $RC_LIBEXECDIR/console directory, and allow the init scripts to create and populate this directory as necessary. The attached patch also changes the call to chmod the /tmp directory to redirect error output to /dev/null. I'm not certain if the change to the chmod call is the best way to deal with this issue, but I'm fairly certain any attempt to change the upstream selinux policy to allow the init script to change the attributes of /tmp would be met with resistance, nor would I be comfortable proposing such a change.
Created attachment 257923 [details, diff] patched bootmisc
Created attachment 257925 [details] system emerge --info
Note to above: the init scripts will still not have permission to DELETE the $RC_LIBEXEC/console dir (assuming the proposed selinux policy change is accepted), as doing so would require extending that permission to the entire /lib tree, which seems both excessive and undesirable.
Hi Chris, I am unable to apply your patch since it is not in unified diff format. Can you please repoast it? Thanks, William
Created attachment 259095 [details, diff] patched bootmisc, now in unified diff format! Sorry about that William. Hope this one is more to your liking. ;)
This is fixed in git as of commit 92b626.
