Bug 361151

Summary: SELinux deny actions to packagekitd
Product: [Fedora] Fedora Reporter: William Caban <william>
Component: PackageKitAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 8CC: dwalsh, lmacken, mcepl, mcepl, rob.townley
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-10 14:40:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Some more avc messages none

Description William Caban 2007-11-01 01:06:13 UTC 
Description of problem:
SELinux is denying access from get-updates.py to any system files like:

/sbin/ldconfig
/var/lib/PackageKit/transactions.db
/var/lib/rpm/Packages
/var/cache/yum/utopia/porimary.xml.gz.sqlite
pipes
/var/lib/rpm
/var/cache/yum/fedora/cachecookie


Version-Release number of selected component (if applicable):

gnome-packagekit-0.1.2-0.215.20071030svn.fc7.hughsie
PackageKit-libs-0.1.2-0.278.20071030git.fc7.hughsie
PackageKit-0.1.2-0.278.20071030git.fc7.hughsie

How reproducible:

alway

Steps to Reproduce:
1. just install it and let it run
  
Actual results:
SELinux denies any access to the system so the result is that with SELinux fully
enable this package does not function.
Comment 1 Robin Norwood 2007-11-20 17:26:02 UTC 
For what it's worth, here's a sample of the messages that I get running PK in
'permissive' mode:

Nov 20 11:04:57 solitude kernel: audit(1195574697.903:580): avc:  denied  { read
} for  pid=8853 comm="packagekitd" name="stat" dev=proc ino=1351878
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:system_r:unconfined_t:s0 tclass=file

(etc, etc)

It looks to me that packagekitd should be running in it's own context, not
dbus's.  (packagekitd is started by dbus)
Comment 2 Luke Macken 2007-11-20 18:06:17 UTC 
Dan said that this should be fixed with tonights rawhide.
Comment 3 Robin Norwood 2007-11-29 20:36:48 UTC 
Created attachment 273301 [details]
Some more avc messages

It looks like I missed some avc messages in my first report to Dan.  Here's the
complete list, and a quick breakdown of what each one is:

o Packagekit creating and using the sqlite database files it needs at
/var/lib/PackageKit/transactions.db

o Something about ' denied  { getsched } for  pid=23842 comm="packagekitd"'

o Running the yum 'helpers':
'denied  { execute_no_trans } for  pid=23848 comm="packagekitd"
path="/usr/share/PackageKit/helpers/yum/get-updates.py"'

(There are various other helper scripts in /usr/share/PackageKit/helpers, not
just get-updates.  Each one essentially runs yum to do different things.)

o Accessing the rpm db: 

denied	{ getattr } for  pid=23848 comm="get-updates.py"
path="/var/lib/rpm/__db.001"

(This error occurs even with the updated policy.  Is this because it is the
helper script run by packagekitd instead of packagekitd itself accessing the
rpm db?)

o Several other yum/RPM related actions run by the get-updates.py helper
script.  There are 15 or so other helper scripts that would want to have
the same access, the get-updates one is just the one I hapenned to run.
Comment 4 Daniel Walsh 2007-12-01 13:48:06 UTC 
packagekitd should be run as rpm_t, and should be labeled rpm_exec_t.

Fixed in selinux-policy-3.0.8-62.fc8
Comment 5 Robin Norwood 2008-01-03 16:42:53 UTC 
This appears to be fixed.  Closing.
Comment 6 Robin Norwood 2008-02-22 14:19:34 UTC 
Hi Dan,

PK now has a separate daemon process that handles the yum actions:

host=solitude.devel.redhat.com type=AVC msg=audit(1203689526.603:14): avc:
denied { getsched } for pid=2765 comm="yumDBUSBackend."
scontext=system_u:system_r:system_dbusd_t:s0
tcontext=system_u:system_r:system_dbusd_t:s0 tclass=process
host=solitude.devel.redhat.com type=SYSCALL msg=audit(1203689526.603:14):
arch=40000003 syscall=155 success=yes exit=0 a0=acd a1=b7f7f8cc a2=4b3ff4
a3=b7f7f6c0 items=0 ppid=2764 pid=2765 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="yumDBUSBackend."
exe="/usr/bin/python" subj=system_u:system_r:system_dbusd_t:s0 key=(null) 

I gather this needs to be fixed in the same way as packagekitd was in comment #4.
Comment 7 Daniel Walsh 2008-02-22 14:45:17 UTC 
What package contains yumDBUSBackend?
Comment 8 Robin Norwood 2008-03-03 15:38:14 UTC 
Hi Dan, sorry for the delay - it comes from PackageKit (the main package).  The
version in rawhide now doesn't use yumDBUSBackend yet, though.
Comment 9 Daniel Walsh 2008-03-03 15:43:37 UTC 
What is the path?

Need transition from system_dbusd_t->rpm_exec_t->rpm_t

When is it going to be in Rawhide?
Comment 10 Robin Norwood 2008-03-19 16:10:56 UTC 
The path is: /usr/libexec/yumDBUSBackend.py

It's already in rawhide, but is not the default backend - the default backend is
currently still the old yum backend that we already have rules for.  It might
become the default backend during the beta, or we might stay with the current
yum backend, it all depends on if the new backend is 'ready' or not.
Comment 11 Daniel Walsh 2008-03-19 19:21:32 UTC 
Fixed in selinux-policy-3.3.1-22.fc9
Comment 12 Robin Norwood 2008-04-10 14:40:48 UTC 
Closing this, as I haven't seen any SELinux AVC denials lately.  Thanks, Dan.