Bug 119208 - /usr/sbin/up2date needs to be rpm_exec_t
Summary: /usr/sbin/up2date needs to be rpm_exec_t
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: policy   
(Show other bugs)
Version: rawhide
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords: SELinux
: 119538 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-03-26 13:29 UTC by Aleksey Nogin
Modified: 2007-11-30 22:10 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-04-08 13:37:31 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Aleksey Nogin 2004-03-26 13:29:06 UTC
Currently up2date can not run rpm scripts when in enforcing mode:

audit(1080298058.273:0): avc:  denied  { transition } for  pid=3821
exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903
scontext=aleksey:sysadm_r:sysadm_t
tcontext=aleksey:sysadm_r:rpm_script_t tclass=process

Stephen Smalley wrote

> Should /usr/sbin/up2date be labeled with rpm_exec_t, as is the case for
> yum? 
[...]
> That should enable the transition from sysadm_t to
> rpm_t, which is a necessary precursor to transitioning to rpm_script_t.

Comment 1 Daniel Walsh 2004-03-26 15:35:55 UTC
Fixed in policy-1.9-18

Comment 2 Aleksey Nogin 2004-03-30 20:29:39 UTC
In the policy-sources-1.9.1-2 I see that the /usr/bin/up2date is
labeled rpm_script_t, but not the /usr/sbin one. If I understand this
correctly, it is the wrong one - the bin one should probably _not_ be
labeled this way, while the /usr/sbin one should be.

Comment 3 Daniel Walsh 2004-04-05 20:05:09 UTC
Yes this is fixed in 1.9.2-10 or so.  The fixes to up2date and
usermode should be in place by tomorrow.

Dan

Comment 4 Adrian Likins 2004-04-06 20:19:52 UTC
up2date-4.3.15 has this change

Comment 5 Aleksey Nogin 2004-04-09 04:23:17 UTC
*** Bug 119538 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.