Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 155015 - depmod fails during rpmbuild of kernel: System.map O_RDONLY
Summary: depmod fails during rpmbuild of kernel: System.map O_RDONLY
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: powerpc
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-04-15 18:00 UTC by John Reiser
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version: 1.25.4-10.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-09-15 16:00:33 UTC


Attachments (Terms of Use)
strace of depmod (deleted)
2005-04-15 18:04 UTC, John Reiser
no flags Details
grep depmod /var/log/audit/auditd.log (deleted)
2005-04-16 05:26 UTC, John Reiser
no flags Details

Description John Reiser 2005-04-15 18:00:56 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050323 Firefox/1.0.2 Fedora/1.0.2-1.3.1

Description of problem:
"rpmbuild -bc --target ppc kernel-2.6.spec" fails at "make modules_install" step because depmod cannot open System.map for O_RDONLY, even though System.map exists and is readable (and the directory is searchable).


Version-Release number of selected component (if applicable):
module-init-tools-3.1-2

How reproducible:
Always

Steps to Reproduce:
1. rpm --install kernel-2.6.11-1.1240_FC4.src.rpm
2. cd SPECS;  then remove the "-s" at line 833 of kernel-2.6.spec so that "make modules_install" shows the commands that it invokes.
3. rpmbuild -bc --target ppc kernel-2.6.spec >rpm.out 2>&1 &
  

Actual Results:  rpmbuild fails (Exit 1) at the "make modules_install" stage, with last command:
-----
if [ -r System.map -a -x /sbin/depmod ]; then /sbin/depmod -ae -F System.map -b /var/tmp/kernel-2.6.11-1.1240_FC4.jreiser-root -r 2.6.11-1.1240_FC4.jreiser; fi
make: *** [_modinst_post] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.34550 (%build)
-----

Running the depmod command under strace shows:
-----
   [snip]
brk(0)                                  = 0x10027000
brk(0x10048000)                         = 0x10048000
open("System.map", O_RDONLY)            = -1 EACCES (Permission denied)
write(2, "FATAL: ", 7)                  = 7
write(2, "Could not open \'System.map\': Per"..., 47) = 47
exit_group(1)                           = ?
-----




Expected Results:  The depmod should have opened System.map, proceeded, and eventually succeeded.

Additional info:

Comment 1 John Reiser 2005-04-15 18:04:45 UTC
Created attachment 113238 [details]
strace of depmod

complete 27-line strace of depmod execution.
Current directory is BUILD/kernel-2.6.11/linux-2.6.11 with drwxr-xr-x
permissions,
System.map exists (692479 bytes) with -rw-r--r-- permissions.

Comment 2 John Reiser 2005-04-15 18:08:26 UTC
SELinux is in targeted enforcing mode.
/var/log/messages contains no "avc" messages about System.map or depmod.
(The only "avc" are for PrinterSpooler PrinterAdded.)


Comment 3 Bill Nottingham 2005-04-15 18:09:47 UTC
I'm assuming that turning off enforcig doesn't change it?

Comment 4 John Reiser 2005-04-16 01:35:04 UTC
Selinux DOES matter:
Rebooting with "disabled targeted" makes it work.
Rebooting with "permissive targeted" makes it work.
Rebooting with "enforcing targeted" makes it fail again.

Installed rpms are:
kernel-2.6.11-1.1240_FC4
slinux-policy-targeted-1.23.11-1
libselinux-1.23.7-2
libselinux-devel-1.23.7-2

rpmbuild was done as unprivileged user, with $HOME/.rpmmacros:
-----
%packager %(echo $USER)
%_topdir %(echo "$HOME")/rpmbuild
-----
and $HOME/rpmbuild and everything below it is owned by $USER, and $USER
has access to everything in the $HOME/rpmbuild tree.


Comment 5 John Reiser 2005-04-16 01:36:34 UTC
All 4 times with the sequence {enforcing, disabled, permissive, enforcing} there
are no "avc" messages in /var/log/messages that refer to depmod or System.map.


Comment 6 Daniel Walsh 2005-04-16 03:28:26 UTC
Do you have avc messages in /var/log/audit/auditd.log?

Comment 7 John Reiser 2005-04-16 05:25:33 UTC
Yes, 41 of them.  I'll attach the output from "grep depmod
/var/log/audit/auditd.log".  System.map is inode 134868.


Comment 8 John Reiser 2005-04-16 05:26:34 UTC
Created attachment 113268 [details]
grep depmod /var/log/audit/auditd.log

Comment 9 Daniel Walsh 2005-04-19 15:41:01 UTC
What context are you running the build under?  sysadm_t?

For a normal user depmod should not be transitioning, I think.

Dan

Comment 10 John Reiser 2005-04-19 16:16:08 UTC
Um, "plain user" context: logged in as ordinary non-privileged user, no known
actions taken that would change context.  [What is the shell-level command to
show which context is current?]


Comment 11 Daniel Walsh 2005-04-19 17:19:54 UTC
id -Z

Comment 12 John Reiser 2005-04-19 17:23:17 UTC
user_u:system_r:unconfined_t

[It would be handy if "apropos context" said something about 'id'.]


Comment 13 Daniel Walsh 2005-04-21 12:20:09 UTC
I don't know why it does not.  It is mentioned in the man page

man id
...
       -Z, --context
              print only the security context

Anyways latest policy (1.23.12-1) should not transition from unconfined_t to
depmod_t so this should be fixed.  Please try it

Comment 14 John Reiser 2005-04-21 18:13:22 UTC
selinux-policy-targeted-1.23.12-1 fails the same way on the surface, but
differently underneath.  kernel-2.6.11-1.1253_FC4 is running,
/etc/selinux/config specifies enforcing targeted.

/var/log/audit/audit.log contains nothing of apparent interest.  However,
/var/log/messages contains
-----
Apr 21 15:53:29 mini kernel: audit(1114124009.718:0): avc:  denied  { write }
for  pid=29921 exe=/sbin/depmod path=/home/jre iser/rpmbuild/SPECS/rpm.out
dev=hda4 ino=133182 scontext=user_u:system_r:depmod_t
tcontext=user_u:object_r:default_t tclass= file
Apr 21 15:56:49 mini kernel: audit(1114124209.192:0): avc:  denied  { write }
for  pid=609 exe=/sbin/depmod path=/home/jreis er/rpmbuild/SPECS/rpm.out
dev=hda4 ino=133182 scontext=user_u:system_r:depmod_t
tcontext=user_u:object_r:default_t tclass=fi le
Apr 21 15:56:49 mini kernel: audit(1114124209.192:0): avc:  denied  { write }
for  pid=609 exe=/sbin/depmod path=/home/jreis er/rpmbuild/SPECS/rpm.out
dev=hda4 ino=133182 scontext=user_u:system_r:depmod_t
tcontext=user_u:object_r:default_t tclass=fi le
Apr 21 15:56:49 mini kernel: audit(1114124209.193:0): avc:  denied  { search }
for  pid=609 exe=/sbin/depmod name=linux-2.6. 11 dev=hda4 ino=130573
scontext=user_u:system_r:depmod_t tcontext=user_u:object_r:default_t tclass=dir
-----
[The clock is ahead by 7 hours due to dispute between MaxOS X and Linux over
which timezone the Mac mini hardware (ppc) is in, and how that is represented.]

Also note that /var/log/messages earlier had
-----
Apr 21 14:28:34 mini kernel: audit(1114118913.748:0): avc:  denied  { setsched }
for  pid=1933 exe=/sbin/auditd scontext=user_u:system_r:auditd_t
tcontext=user_u:system_r:auditd_t tclass=process
Apr 21 14:28:34 mini kernel: SELinux: initialized (dev rpc_pipefs, type
rpc_pipefs), uses genfs_contexts
-----
so something doesn't look right with auditd.

As originally, the rpmbuild of the kernel fails with
-----
if [ -r System.map -a -x /sbin/depmod ]; then /sbin/depmod -ae -F System.map -b
/var/tmp/kernel-2.6.11-1.1240_FC4.jreiser-root -r 2.6.11-1.1240_FC4.jreiser; fi
make: *** [_modinst_post] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.75435 (%build)
-----
Re-running the /sbin/depmod command under strace shows the same problem with
open("System.map", O_RDONLY) getting EACCES. The re-running also causes a new
complaint in /var/log/messages of
-----
Apr 21 17:52:33 mini kernel: audit(1114131153.055:0): avc:  denied  { search }
for  pid=1444 exe=/sbin/depmod name=linux-2.6.11 dev=hda4 ino=130573
scontext=user_u:system_r:depmod_t tcontext=user_u:object_r:default_t tclass=dir
-----


[The reason why "apropos context" says nothing about id(1) is that id(1) does
not contain the string "context" in its NAME title line, which is "id - print
real and effective UIDs and GIDs".]



Comment 15 David Juran 2005-04-21 19:34:07 UTC
I'd just like to add that I get a very similar error message trying to rebuild
kernel-2.6.11-1.1253_FC4.src.rpm on a i686. It fails in the same place, but the
only lines I have in my messages-file are:

Apr 21 21:20:39 c83-248-2-203 kernel: audit(1114111239.735:0): avc:  denied  {
search } for  pid=7504 exe=/sbin/depmod name=var dev=hdb2 ino=163841
scontext=user_u:system_r:depmod_t tcontext=system_u:object_r:var_t tclass=dir

Apr 21 21:20:40 c83-248-2-203 kernel: audit(1114111239.956:0): avc:  denied  {
search } for  pid=7504 exe=/sbin/depmod name=var dev=hdb2 ino=163841
scontext=user_u:system_r:depmod_t tcontext=system_u:object_r:var_t tclass=dir


I'm running selinux-policy-targeted-1.23.12-1 
If I build running the system in permissive mode, everything works fine.


Comment 16 John Reiser 2005-05-11 17:05:03 UTC
Same problem [strongly related, anyway] with new symptom now happens on FC4test3
(PowerPC Mac mini) using
kernel-2.6.11-1.1290_FC4
selinux-policy-targeted-1.23.14-2  ## targeted enforcing

Symptom is:
make ARCH=ppc INSTALL_MOD_PATH=/var/tmp/kernel-2.6.11-1.1290_FC4.jreiser-root
modules_install KERNELRELEASE=2.6.11-1.1290_FC4.jreiser
[snip long list of INSTALL <module>, ending with:]
INSTALL sound/usb/usx2y/snd-usb-usx2y.ko
if [ -r System.map -a -x /sbin/depmod ]; then /sbin/depmod -ae -F System.map -b
/var/tmp/kernel-2.6.11-1.1290_FC4.jreiser-root -r 2.6.11-1.1290_FC4.jreiser; fi
WARNING: Couldn't open directory
/var/tmp/kernel-2.6.11-1.1290_FC4.jreiser-root/lib/modules/2.6.11-1.1290_FC4.jreiser:
Permission denied
FATAL: Could not open
/var/tmp/kernel-2.6.11-1.1290_FC4.jreiser-root/lib/modules/2.6.11-1.1290_FC4.jreiser/modules.dep.temp
for writing: Permission denied
make: *** [_modinst_post] Error 1

/var/log/audit/auditd.log has:
type=KERNEL msg=audit(1115828840.789:0): avc:  denied  { write } for 
path=/home/jreiser/rpmbuild/SPECS/rpm.out dev=hda4 ino=554590
scontext=user_u:system_r:depmod_t tcontext=user_u:object_r:user_home_t tclass=file
type=KERNEL msg=audit(1115829017.064:0): avc:  denied  { write } for 
path=/home/jreiser/rpmbuild/SPECS/rpm.out dev=hda4 ino=554590
scontext=user_u:system_r:depmod_t tcontext=user_u:object_r:user_home_t tclass=file
type=KERNEL msg=audit(1115829017.064:0): avc:  denied  { write } for 
path=/home/jreiser/rpmbuild/SPECS/rpm.out dev=hda4 ino=554590
scontext=user_u:system_r:depmod_t tcontext=user_u:object_r:user_home_t tclass=file
type=KERNEL msg=audit(1115829017.237:0): avc:  denied  { search } for  name=var
dev=hda4 ino=1663009 scontext=user_u:system_r:depmod_t
tcontext=system_u:object_r:var_t tclass=dir type=KERNEL
msg=audit(1115829017.237:0): avc:  denied  { search } for  name=var dev=hda4
ino=1663009 scontext=user_u:system_r:depmod_t tcontext=system_u:object_r:var_t
tclass=dir

Build is being done as: $ id -Z
user_u:system_r:unconfined_t


So, the summary is: depmod doesn't work during kernel build as ordinary user
under targeted enforcing policy.


Comment 17 Daniel Walsh 2005-05-12 14:38:16 UTC
Fixed in selinux-policy-1.23.15-5


Note You need to log in before you can comment on or make changes to this bug.