397535 – dracut fails to create initramfs on SELinux systems when not using unconfined

Bug 397535 - dracut fails to create initramfs on SELinux systems when not using unconfined

Summary: dracut fails to create initramfs on SELinux systems when not using unconfined

Status:	VERIFIED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2012-01-03 19:44 UTC by Sven Vermeulen (RETIRED)
Modified:	2012-02-26 10:09 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sven Vermeulen (RETIRED) gentoo-dev

2012-01-03 19:44:27 UTC

When the policy loaded doesn't allow unconfined domains, then dracut fails to create and manage initramfs files as it doesn't hold the necessary privileges to work (amongst other things) with /var/tmp (actually, transition towards depmod which fails to work in /var/tmp). Looks like dracut might need its own domain.

Reproducible: Always

Steps to Reproduce:
~# dracut "" 3.1.6-hardened
Actual Results:  
Fails with "Unable to read file /var/tmp/...", AVC denials show that depmod cannot get attributes.


Will put up a dracut_t domain to work with.

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2012-01-03 22:50:49 UTC

selinux-dracut module will be up with rev11 of base policy

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2012-01-29 09:36:21 UTC

Is ~arch since 2012/01/03

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2012-02-26 10:09:51 UTC

Stabilized