119507 – [unlimitedUsers] staff_r can not run rpm? Should /usr/lib/rpm/rpmi and not /bin/rpm be rpm_exec_t

Bug 119507 - [unlimitedUsers] staff_r can not run rpm? Should /usr/lib/rpm/rpmi and not /bin/rpm be rpm_exec_t

Summary: [unlimitedUsers] staff_r can not run rpm? Should /usr/lib/rpm/rpmi and not /b...

Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	policy (Show other bugs)
Sub Component:	(Show other bugs)
Version:	rawhide
Hardware:	All Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Keywords:	SELinux
Depends On:
Blocks:	FC2Blocker
TreeView+	depends on / blocked

Reported:	2004-03-30 23:31 UTC by Aleksey Nogin
Modified:	2007-11-30 22:10 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2004-04-07 11:40:04 UTC
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Aleksey Nogin 2004-03-30 23:31:55 UTC

After the most recent (post-FC2t2) updates to the policy package,
staff_r (and, I am guessing, user_r too) can not run rpm - even "rpm
-q" or "rpm -V". This is IMO wrong. 

If there is a desire to prohibit staff_r from running rpm_exec_t files
(which is probably a good idea), then the /usr/lib/rpm/rpmi should be
marked as rpm_exec_t, while /bin/rpm should become an ordinary bin_t
(and should then always call rpmi for actual rpm installs/upgrades).

Comment 1 Bill Nottingham 2004-03-31 02:39:36 UTC

Actually, *everyone* should be able to run rpm -q ; anything else
should be a tunable.

Comment 2 Daniel Walsh 2004-03-31 03:19:06 UTC

I am not seeing this.  What avc messages are you getting?

Dan

Comment 3 Aleksey Nogin 2004-03-31 03:41:08 UTC

That's the thing - I am not getting any, just the "Permission denied".

% rpm -q rpm
bash: /bin/rpm: Permission denied
% ls -l /bin/rpm
-rwxr-xr-x  1 rpm rpm 75760 ÐÐ°Ñ 16 09:10 /bin/rpm
% ls -lZ /bin/rpm
-rwxr-xr-x+ rpm      rpm      system_u:object_r:rpm_exec_t     /bin/rpm
% id -Z
aleksey:staff_r:staff_t
% ls -lZ /usr/bin/yum
-rwxr-xr-x+ root     root     system_u:object_r:rpm_exec_t    
/usr/bin/yum
% yum
bash: /usr/bin/yum: /usr/bin/python: bad interpreter: Permission denied
% sudo rpm -q policy-sources
policy-sources-1.9.1-2

Comment 4 Daniel Walsh 2004-03-31 03:46:14 UTC

Could you do a setenforce 0

Then execute the rpm -q command and see if you get any messages.

Are you on the #selinux chat room?

Dan

Comment 5 Aleksey Nogin 2004-03-31 04:35:59 UTC

security_compute_sid:  invalid context aleksey:staff_r:rpm_t for
scontext=aleksey:staff_r:staff_t tcontext=system_u:object_r:rpm_exec_t
tclass=process

Comment 6 Daniel Walsh 2004-03-31 05:11:32 UTC

For some reason you are attempting to transition to rpm_t.  You should
not be, for the staff user while not in unlimitedUsers.

Could you check to see if you have a domain_trans for staff_t to rpm_t?

Dan

Comment 7 Aleksey Nogin 2004-03-31 05:15:23 UTC

Ah, I do have unlimitedUsers set.

Comment 8 Daniel Walsh 2004-03-31 05:20:07 UTC

role staff_r types rpm_t;
If you want to run in unlimitedUsers you need to add the above line to
rpm.te where the transition code is.  I will fix this in the next
policy.  The unlimitedUsers role will be turned off in the next
policy, as we attempt to tighten up the security, in policy.

Comment 9 Aleksey Nogin 2004-03-31 05:34:41 UTC

OK, I brough my tunable.te closer to the one currently distributed
(including commenting out the unlimitedUsers) and the problem went
away. Thanks!

Comment 10 Daniel Walsh 2004-03-31 15:09:16 UTC

Fixed in policy-1.9.1-4

Note You need to log in before you can comment on or make changes to this bug.

TreeView+

- Top of page