Bug 119660
| Summary: | Should rpmbuild be allowed to read/etc/security/selinux/file_contexts? | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Aleksey Nogin <aleksey> |
| Component: | policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | gczarcinski, jbj, pgraner |
| Target Milestone: | --- | Keywords: | SELinux |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2004-05-10 15:07:32 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fixed in policy-1.9.2-2 I am allowing it. Might end up being a tunable. OK, this does not make sense ... policy 1.9.2-10 (with policy. renamed to policy.16). I have a local (private) rpm build tree. When I try to install a src.rpm package, rpm is trying to access file_contexts. Why is this necessary? It is trying to read the file context of the file that you are assigning. There should be a change in that policy to allow user to read that file. Dan Which version of policy has the fix. I am running 1.9.2-10 and it has the problem. My problem is not the original one (with rpmbuild) ... it is with rpm installing a src.rpm into a local/private build tree owned by a regular user. It dissappeared. I am adding it back in. Look for it tomorrow. Basically need r_dir_file($1_t, policy_config_t) in base_user_role inside the macro. OK, it looks like the problem reported here is fixed in polic 1.9.2-12 However, the effect appears to cause other problem which will be separately reported. |
rpmbuild tries reading /etc/security/selinux/file_contexts when it created the actual packages. If it is run from an unpriviledged role (as it is supposed to), that access would not be allowed: audit(1080795463.870:0): avc: denied { search } for pid=1483 exe=/usr/lib/rpm/rpmb name=selinux dev=hda2 ino=3712021 scontext=aleksey:staff_r:staff_t tcontext=system_u:object_r:policy_config_t tclass=dir Should it be allowed?