Bug 526329
Summary: | abrt throws AVCs accessing /var/lib/rpm/..... | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tom London <selinux> |
Component: | abrt | Assignee: | Jiri Moskovcak <jmoskovc> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | CC: | dfediuck, dvlasenk, dwalsh, jmoskovc, mnowak, npajkovs, zprikryl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-10-01 13:27:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tom London
2009-09-29 20:24:58 UTC
Why does abrt have to write file in /var/lib/rpm? I would like to lock down this domain as much as possible. I don't want it running rpm directly. I would rather have it only able to execute debuginfo-install and that is it. I do not have a problem with it running rpm to figure out what packages are installed. But if as a user I can get abrt to install stuff via crashing some apps, this concerns me. Weird, as far as I know, abrt doesn't write anything directly to /var/lib/rpm, we use debuginfo-install for installing debuginfo rpms. We only use rpmlib directly to READ some info about package, certainly not for writing. rpmlib probably tries to create a lock file, but it should be allowed. Jirka I don't think it does. When you use the rpm python bindings it does an access check to see if the database is writable, which is causing the problem. I have this dontaudited in selinux-policy-3.6.32-16.fc12.noarch |