Bug 213933

Summary: /usr/sbin/synaptic needs to be labeled as rpm_exec_t in targeted policy, too
Product: [Fedora] Fedora Reporter: Gérard Milmeister <gemi>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: axel.thimm, extras-qa
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-09-12 17:08:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gérard Milmeister 2006-11-03 20:33:54 UTC 
There is a problem when installing packages that have install scripts (%post).
Apparently SELinux prevents it from executing bash. Here is the audit log entry:

type=AVC msg=audit(1162117424.263:1705): avc:  denied  { transition } for  pid=1
6381 comm="synaptic" name="bash" dev=hda2 ino=65603 scontext=system_u:system_r:u
nconfined_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process

With SELinux set to enforce, packages are thus not correctly installed.
Comment 1 Daniel Walsh 2006-11-06 15:34:16 UTC 
What tool are you using to install?  It should be labeled rpm_exec_t to work
correctly?

You might have a labeling problem.
Comment 2 Gérard Milmeister 2006-11-06 15:46:36 UTC 
Output of ll -Z:
-rwxr-xr-x  root root system_u:object_r:sbin_t         /usr/sbin/synaptic*

I also did /sbin/restorecon /usr/sbin/synaptic, but this didn't change anything.
Comment 3 Gérard Milmeister 2006-11-06 15:54:07 UTC 
In the file_contexts policy file, there is an entry for synaptic for the strict
policy, but not for the targeted policy:
/usr/sbin/synaptic      --      system_u:object_r:apt_exec_t:s0
Comment 4 Daniel Walsh 2006-11-06 18:28:55 UTC 
Ok on Fedora this needs to be labeled rpm_exec_t, since it is installing rpms.

I will change this in tonights update

Fixed in selinux-policy-2.4.3-1
Comment 5 Axel Thimm 2006-11-07 09:49:02 UTC 
Thanks a lot, Dan!
Comment 6 Gérard Milmeister 2007-02-20 19:47:31 UTC 
The policy specifies /usr/bin/synaptic which is linked to consolehelper.
Shouldn't it specify /usr/sbin/synaptic directly, or doesn't it matter?
Comment 7 Daniel Walsh 2007-02-20 21:51:04 UTC 
Yes it should be sbin  I will fix in next update.
Comment 8 Daniel Walsh 2007-09-12 17:08:33 UTC 
Moving modified bugs to closed