Bug 129697

Summary: switchExecType doesn't handle MLS component of security context
Product: [Fedora] Fedora Reporter: Chad Hanson <chanson>
Component: rpmAssignee: Jeff Johnson <jbj>
Status: CLOSED RAWHIDE QA Contact: Mike McLean <mikem>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, nobody+pnasrat
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-11-14 04:55:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Fix for MLS bug none

Description Chad Hanson 2004-08-11 21:00:07 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; AT&T 
CSM6.0)

Description of problem:
switchExecType() (lib/psm.c) simply strips the value after the last : 
in the security context and replaces it with the new type. This 
breaks when MLS is enabled since MLS range is the fourth element of 
the security context. Thus the code replaces a part or the entire MLS 
range with a new domain.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
Run rpm on a SELinux system with MLS enabled.

Additional info:
Comment 2 Chad Hanson 2004-08-26 17:15:36 UTC 
Created attachment 103127 [details]
Fix for MLS bug
Comment 3 Chad Hanson 2004-08-26 17:17:58 UTC 
With the mls.patch applied, rpm will always run scriptlets in the 
correct security context regardless of whether MLS is enabled or not.

Please apply.

  rpm-4.3.2/lib/psm.c |   23 ++++++++++++++++++++---
  1 files changed, 20 insertions(+), 3 deletions(-)
Comment 4 Jeff Johnson 2004-11-14 04:55:50 UTC 
Fixed by using rpm_execcon, a execve clone, from libselinux
in rpm-4.3.3-1.