Bug 119208 - /usr/sbin/up2date needs to be rpm_exec_t
/usr/sbin/up2date needs to be rpm_exec_t
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
: SELinux
: 119538 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2004-03-26 08:29 EST by Aleksey Nogin
Modified: 2007-11-30 17:10 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-04-08 09:37:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Aleksey Nogin 2004-03-26 08:29:06 EST
Currently up2date can not run rpm scripts when in enforcing mode:

audit(1080298058.273:0): avc:  denied  { transition } for  pid=3821
exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903
tcontext=aleksey:sysadm_r:rpm_script_t tclass=process

Stephen Smalley wrote

> Should /usr/sbin/up2date be labeled with rpm_exec_t, as is the case for
> yum? 
> That should enable the transition from sysadm_t to
> rpm_t, which is a necessary precursor to transitioning to rpm_script_t.
Comment 1 Daniel Walsh 2004-03-26 10:35:55 EST
Fixed in policy-1.9-18
Comment 2 Aleksey Nogin 2004-03-30 15:29:39 EST
In the policy-sources-1.9.1-2 I see that the /usr/bin/up2date is
labeled rpm_script_t, but not the /usr/sbin one. If I understand this
correctly, it is the wrong one - the bin one should probably _not_ be
labeled this way, while the /usr/sbin one should be.
Comment 3 Daniel Walsh 2004-04-05 16:05:09 EDT
Yes this is fixed in 1.9.2-10 or so.  The fixes to up2date and
usermode should be in place by tomorrow.

Comment 4 Adrian Likins 2004-04-06 16:19:52 EDT
up2date-4.3.15 has this change
Comment 5 Aleksey Nogin 2004-04-09 00:23:17 EDT
*** Bug 119538 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.