Bug 119208 - /usr/sbin/up2date needs to be rpm_exec_t
Summary: /usr/sbin/up2date needs to be rpm_exec_t
Alias: None
Product: Fedora
Classification: Fedora
Component: policy
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Keywords: SELinux
: 119538 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2004-03-26 13:29 UTC by Aleksey Nogin
Modified: 2007-11-30 22:10 UTC (History)
4 users (show)

Clone Of:
Last Closed: 2004-04-08 13:37:31 UTC

Attachments (Terms of Use)

Description Aleksey Nogin 2004-03-26 13:29:06 UTC
Currently up2date can not run rpm scripts when in enforcing mode:

audit(1080298058.273:0): avc:  denied  { transition } for  pid=3821
exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903
tcontext=aleksey:sysadm_r:rpm_script_t tclass=process

Stephen Smalley wrote

> Should /usr/sbin/up2date be labeled with rpm_exec_t, as is the case for
> yum? 
> That should enable the transition from sysadm_t to
> rpm_t, which is a necessary precursor to transitioning to rpm_script_t.

Comment 1 Daniel Walsh 2004-03-26 15:35:55 UTC
Fixed in policy-1.9-18

Comment 2 Aleksey Nogin 2004-03-30 20:29:39 UTC
In the policy-sources-1.9.1-2 I see that the /usr/bin/up2date is
labeled rpm_script_t, but not the /usr/sbin one. If I understand this
correctly, it is the wrong one - the bin one should probably _not_ be
labeled this way, while the /usr/sbin one should be.

Comment 3 Daniel Walsh 2004-04-05 20:05:09 UTC
Yes this is fixed in 1.9.2-10 or so.  The fixes to up2date and
usermode should be in place by tomorrow.


Comment 4 Adrian Likins 2004-04-06 20:19:52 UTC
up2date-4.3.15 has this change

Comment 5 Aleksey Nogin 2004-04-09 04:23:17 UTC
*** Bug 119538 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.