Was also about to open a bug for dracut-install when running SELinux in
enforcing mode, when I saw this one that looked eerily similar.
My scenario here doesn’t involve any chroot, it’s just a straight box running
SEL enforced and with unattended upgrades enabled. As and when a new kernel
comes in, the unattended-upgrades-dpkg.log shows another one of these lines for
every kernel module being copied:
cp: preserving permissions for
'/var/tmp/mkinitramfs_DK9EQh/lib/modules/6/12/94+deb13-amd64/kernel/drivers/scsi/scsi_mod.ko.xz':
Permission denied
dracut-install: ERROR: 'cp --reflink=auto --sparse=auto
--preserve=mode,xattr,timestamps.ownership -fL
/lib/modules/6/12/94+deb13-amd64/kernel/drivers/scsi/scsi_mod.ko.xz' ERROR
The same errors will also appear if you install a new kernel interactively
without doing a setenforce 0 first (but we don't have capture for those 😊). The
module files themselves are successfully copied, but as the error suggests not
all of the attributes might be preserved. It doesn't *seem* to have caused any
problems so far, but you never know...
grepping through the audit log for the corresponding cp command comes up with
the following type enforcement rule basically saying dracut (as bootloader_t)
need setattr privs on kernel modules (modules_object_t) in addition to the
read/write/etc. privs it already has;
grep -I cp /var/log/audit/audit.log*|audit2allow
#============ bootloader_t ============
allow bootloader_t modules_object_t:file setattr;
As a workaround for the time being I'm adding the above TE config to a custom
SEL module to permit this behaviour (basically an expanded version of the
above);
grep -I cp /var/log/audit/audit.log*|audit2allow -m dracut_xattr
module dracut_xattr 1.0;
require {
type modules_object_t;
type bootloader_t;
class file setattr;
}
#============ bootloader_t ============
allow bootloader_t modules_object_t:file setattr;
I dare say that setting DRACUT_NO_XATTR=1 will also function as a workaround
for this, but IME the correct fix is to make sure that the type enforcement to
allow setattr on modules is added to the base SELinux policy for dracut.
-------------------------------
G-RESEARCH believes the information provided herein is reliable. While every
care has been taken to ensure accuracy, the information is furnished to the
recipients with no warranty as to the completeness and accuracy of its contents
and on condition that any errors or omissions shall not be made the basis of
any claim, demand or cause of action.
The information in this email is intended only for the named recipient. If you
are not the intended recipient please notify us immediately and do not copy,
distribute or take action based on this e-mail.
All messages sent to and from this e-mail address will be logged by G-RESEARCH
and are subject to archival storage, monitoring, review and disclosure. For
information about how G-RESEARCH uses your personal data, please refer to our
Privacy Policy.
G-RESEARCH is the trading name of Alastair LLP and its affiliates globally.
Alastair LLP is a limited liability partnership registered in England with
number OC451515 and registered office 8th Floor One Soho Place, London, W1D
3BG.
