Bug 361151
Summary: | SELinux deny actions to packagekitd | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | William Caban <william> | ||||
Component: | PackageKit | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 8 | CC: | dwalsh, lmacken, mcepl, mcepl, rob.townley | ||||
Target Milestone: | --- | Keywords: | Reopened | ||||
Target Release: | --- | ||||||
Hardware: | i686 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-04-10 14:40:48 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
William Caban
2007-11-01 01:06:13 UTC
For what it's worth, here's a sample of the messages that I get running PK in 'permissive' mode: Nov 20 11:04:57 solitude kernel: audit(1195574697.903:580): avc: denied { read } for pid=8853 comm="packagekitd" name="stat" dev=proc ino=1351878 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=file (etc, etc) It looks to me that packagekitd should be running in it's own context, not dbus's. (packagekitd is started by dbus) Dan said that this should be fixed with tonights rawhide. Created attachment 273301 [details]
Some more avc messages
It looks like I missed some avc messages in my first report to Dan. Here's the
complete list, and a quick breakdown of what each one is:
o Packagekit creating and using the sqlite database files it needs at
/var/lib/PackageKit/transactions.db
o Something about ' denied { getsched } for pid=23842 comm="packagekitd"'
o Running the yum 'helpers':
'denied { execute_no_trans } for pid=23848 comm="packagekitd"
path="/usr/share/PackageKit/helpers/yum/get-updates.py"'
(There are various other helper scripts in /usr/share/PackageKit/helpers, not
just get-updates. Each one essentially runs yum to do different things.)
o Accessing the rpm db:
denied { getattr } for pid=23848 comm="get-updates.py"
path="/var/lib/rpm/__db.001"
(This error occurs even with the updated policy. Is this because it is the
helper script run by packagekitd instead of packagekitd itself accessing the
rpm db?)
o Several other yum/RPM related actions run by the get-updates.py helper
script. There are 15 or so other helper scripts that would want to have
the same access, the get-updates one is just the one I hapenned to run.
packagekitd should be run as rpm_t, and should be labeled rpm_exec_t. Fixed in selinux-policy-3.0.8-62.fc8 This appears to be fixed. Closing. Hi Dan, PK now has a separate daemon process that handles the yum actions: host=solitude.devel.redhat.com type=AVC msg=audit(1203689526.603:14): avc: denied { getsched } for pid=2765 comm="yumDBUSBackend." scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=process host=solitude.devel.redhat.com type=SYSCALL msg=audit(1203689526.603:14): arch=40000003 syscall=155 success=yes exit=0 a0=acd a1=b7f7f8cc a2=4b3ff4 a3=b7f7f6c0 items=0 ppid=2764 pid=2765 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="yumDBUSBackend." exe="/usr/bin/python" subj=system_u:system_r:system_dbusd_t:s0 key=(null) I gather this needs to be fixed in the same way as packagekitd was in comment #4. What package contains yumDBUSBackend? Hi Dan, sorry for the delay - it comes from PackageKit (the main package). The version in rawhide now doesn't use yumDBUSBackend yet, though. What is the path? Need transition from system_dbusd_t->rpm_exec_t->rpm_t When is it going to be in Rawhide? The path is: /usr/libexec/yumDBUSBackend.py It's already in rawhide, but is not the default backend - the default backend is currently still the old yum backend that we already have rules for. It might become the default backend during the beta, or we might stay with the current yum backend, it all depends on if the new backend is 'ready' or not. Fixed in selinux-policy-3.3.1-22.fc9 Closing this, as I haven't seen any SELinux AVC denials lately. Thanks, Dan. |