Currently up2date can not run rpm scripts when in enforcing mode: audit(1080298058.273:0): avc: denied { transition } for pid=3821 exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903 scontext=aleksey:sysadm_r:sysadm_t tcontext=aleksey:sysadm_r:rpm_script_t tclass=process Stephen Smalley wrote > Should /usr/sbin/up2date be labeled with rpm_exec_t, as is the case for > yum? [...] > That should enable the transition from sysadm_t to > rpm_t, which is a necessary precursor to transitioning to rpm_script_t.
Fixed in policy-1.9-18
In the policy-sources-1.9.1-2 I see that the /usr/bin/up2date is labeled rpm_script_t, but not the /usr/sbin one. If I understand this correctly, it is the wrong one - the bin one should probably _not_ be labeled this way, while the /usr/sbin one should be.
Yes this is fixed in 1.9.2-10 or so. The fixes to up2date and usermode should be in place by tomorrow. Dan
up2date-4.3.15 has this change
*** Bug 119538 has been marked as a duplicate of this bug. ***