Created attachment 602778 [details] dracut --kver 5.4.8-gentoo Hi, I am using initramfs, btrfs, cryptsetup. To install a new kernel, the way i do : make olddefconfig mount -o remount,rw /boot time ( make && make modules_install && make install ) && echo OK dracut --kver 5.4.8-gentoo grub-mkconfig -o /boot/grub/grub.cfg But when performing dracut command i get a lot errors and failed to end it. Portage 2.3.79 (python 3.6.9-final-0, default/linux/amd64/17.1/hardened/selinux, gcc-9.2.0, glibc-2.29-r2, 5.3.11-gentoo x86_64) ================================================================= System Settings ================================================================= System uname: Linux-5.3.11-gentoo-x86_64-Intel-R-_Core-TM-_i7-5557U_CPU_@_3.10GHz-with-gentoo-2.6 KiB Mem: 16271356 total, 7715952 free KiB Swap: 8388604 total, 8388604 free Timestamp of repository gentoo: Tue, 19 Nov 2019 00:45:01 +0000 Head commit of repository gentoo: 7446f04821448e084c44c24e9f99b46363b62b3e sh bash 4.4_p23-r1 ld GNU ld (Gentoo 2.32 p2) 2.32.0 ccache version 3.7.4 [enabled] app-shells/bash: 4.4_p23-r1::gentoo dev-java/java-config: 2.2.0-r4::gentoo dev-lang/perl: 5.28.2-r1::gentoo dev-lang/python: 2.7.16::gentoo, 3.6.9::gentoo dev-util/ccache: 3.7.4::gentoo dev-util/cmake: 3.14.6::gentoo dev-util/pkgconfig: 0.29.2::gentoo sys-apps/baselayout: 2.6-r1::gentoo sys-apps/openrc: 0.41.2::gentoo sys-apps/sandbox: 2.13::gentoo sys-devel/autoconf: 2.13-r1::gentoo, 2.69-r4::gentoo sys-devel/automake: 1.11.6-r3::gentoo, 1.16.1-r1::gentoo sys-devel/binutils: 2.32-r1::gentoo sys-devel/gcc: 9.2.0-r2::gentoo sys-devel/gcc-config: 2.1::gentoo sys-devel/libtool: 2.4.6-r3::gentoo sys-devel/make: 4.2.1-r4::gentoo sys-kernel/linux-headers: 4.19::gentoo (virtual/os-headers) sys-libs/glibc: 2.29-r2::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 sync-rsync-extra-opts: sync-rsync-verify-metamanifest: yes sync-rsync-verify-max-age: 24 sync-rsync-verify-jobs: 1 local location: /usr/local/portage masters: gentoo priority: 10 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="@FREE" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -fforce-addr -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -fforce-addr -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--jobs=4 --load-average=4.0 --keep-going=y --with-bdeps=y --complete-graph" ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs buildpkg ccache config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch parallel-install preserve-libs protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://m.toto.org/gentoo/" LANG="fr_FR.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="X acl amd64 branding bzip2 chroot consolekit crypt cryptsetup cxx ffmpeg gnutls hardened iconv icu ipv6 jpeg libtirpc logrotate lzma mmx modplug multilib ncurses nls nptl opengl openmp pam pax_kernel pcre perl pic pie png python readline seccomp secure_delete selinux snmp split-usr sse sse2 ssl ssp symlink tcpd unicode wavpack webrsync-gpg xattr xml xtpax zlib" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="load memory syslog" CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64" INPUT_DEVICES="evdev keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" NETBEANS_MODULES="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python2_7 python3_6" QEMU_SOFTMMU_TARGETS="arm x86_64 sparc" QEMU_USER_TARGETS="x86_64" RUBY_TARGETS="ruby24 ruby25" USERLAND="GNU" VIDEO_CARDS="intel i915" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS ================================================================= Package Settings ================================================================= sys-kernel/dracut-048-r1::gentoo was built with the following: USE="(selinux) -debug" ABI_X86="(64)" sec-policy/selinux-dracut-2.20180701-r1::gentoo was built with the following: USE="" ABI_X86="(64)" Then i was trying to correct the rights but i get this errors : ausearch -m avc -ts 14:12 |audit2allow -M dracut cat dracut.te module dracut 1.0; require { type lib_t; type lvm_exec_t; type fixed_disk_device_t; type udev_tbl_t; type udev_exec_t; type etc_t; type udev_rules_t; type fsadm_exec_t; type shell_exec_t; type bin_t; type lvm_t; type lvm_etc_t; type fsadm_run_t; type lvm_lock_t; type ld_so_t; type dmesg_exec_t; type dracut_t; type kmod_exec_t; type modules_dep_t; type mount_exec_t; type modules_conf_t; type usr_t; class file { read relabelto setattr unlink }; class blk_file read; class dir { add_name getattr relabelto search }; class unix_stream_socket connectto; } #============= dracut_t ============== #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. #Constraint rule: # constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED # Possible cause is the source user (staff_u) and target user (system_u) are different. allow dracut_t bin_t:file relabelto; #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. #Constraint rule: # constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED # Possible cause is the source user (staff_u) and target user (system_u) are different. allow dracut_t dmesg_exec_t:file relabelto; #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. #Constraint rule: # constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED # Possible cause is the source user (staff_u) and target user (system_u) are different. allow dracut_t etc_t:file relabelto; allow dracut_t fixed_disk_device_t:blk_file read; #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. #Constraint rule: # constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED # Possible cause is the source user (staff_u) and target user (system_u) are different. allow dracut_t fsadm_exec_t:file relabelto; allow dracut_t fsadm_run_t:dir { getattr search }; #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. #Constraint rule: # constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED # Possible cause is the source user (staff_u) and target user (system_u) are different. allow dracut_t kmod_exec_t:file relabelto; #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. #Constraint rule: # constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED # Possible cause is the source user (staff_u) and target user (system_u) are different. allow dracut_t ld_so_t:file relabelto; #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. #Constraint rule: # constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED # Possible cause is the source user (staff_u) and target user (system_u) are different. # Possible cause is the source user (staff_u) and target user (system_u) are different. allow dracut_t lib_t:file relabelto; #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. #Constraint rule: # constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED # Possible cause is the source user (staff_u) and target user (system_u) are different. allow dracut_t lvm_etc_t:file relabelto; #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. #Constraint rule: # constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED # Possible cause is the source user (staff_u) and target user (system_u) are different. allow dracut_t lvm_exec_t:file relabelto; allow dracut_t lvm_lock_t:dir add_name; allow dracut_t lvm_t:unix_stream_socket connectto; #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. #Constraint rule: # constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED # Possible cause is the source user (staff_u) and target user (system_u) are different. allow dracut_t modules_conf_t:file relabelto; allow dracut_t modules_dep_t:file { setattr unlink }; #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. #Constraint rule: # constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED # Possible cause is the source user (staff_u) and target user (system_u) are different. allow dracut_t mount_exec_t:file relabelto; #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. #Constraint rule: # constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED # Possible cause is the source user (staff_u) and target user (system_u) are different. allow dracut_t shell_exec_t:file relabelto; #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. #Constraint rule: # constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED # Possible cause is the source user (staff_u) and target user (system_u) are different. allow dracut_t udev_exec_t:file relabelto; #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. #Constraint rule: # constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED # Possible cause is the source user (staff_u) and target user (system_u) are different. allow dracut_t udev_rules_t:file relabelto; allow dracut_t udev_tbl_t:file read; #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. #Constraint rule: # constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED # Possible cause is the source user (staff_u) and target user (system_u) are different. allow dracut_t usr_t:dir relabelto; #!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access. #Constraint rule: # constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED # Possible cause is the source user (staff_u) and target user (system_u) are different. allow dracut_t usr_t:file relabelto; A workaround way is to diseable SELinux to run dracut command...
sys-kernel/dracut-053-r1::gentoo was built with the following: USE="(selinux)" ABI_X86="(64)" CFLAGS="-march=haswell -O2 -fforce-addr -pipe" CXXFLAGS="-march=haswell -O2 -fforce-addr -pipe"
Created attachment 736933 [details] the errors from : dracut --kver 5.13.13-gentoo It is the errors file when running dracut --kver 5.13.13-gentoo.
Created attachment 736936 [details] dracut policies Then i audited : ausearch -m avc -ts 11:36 |audit2allow -M test-dracut But it failed again to insert the policies : > semodule -i test-dracut.pp neverallow check failed at /var/lib/selinux/strict/tmp/modules/400/authlogin/cil:196 (neverallow authlogin_typeattr_1 shadow_t (file (read))) <root> allow at /var/lib/selinux/strict/tmp/modules/400/test-dracut/cil:72 (allow dracut_t shadow_t (file (read))) Failed to generate binary semodule: Failed!
Does this still happen in version 101? If so please also report this upstream at https://github.com/dracut-ng/dracut-ng/issues
This is specifically a policy issue that's been on my todo list for a while.
