Bug 119507 – [unlimitedUsers] staff_r can not run rpm? Should /usr/lib/rpm/rpmi and not /bin/rpm be rpm_exec_t

Bug 119507 - [unlimitedUsers] staff_r can not run rpm? Should /usr/lib/rpm/rpmi and not /bin/rpm be rpm_exec_t

Summary:	[unlimitedUsers] staff_r can not run rpm? Should /usr/lib/rpm/rpmi and not /b...

Status:	CLOSED RAWHIDE

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	policy (Show other bugs)
Sub Component:
Version:	rawhide
Hardware:	All Linux

Priority	medium Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:

URL:
Whiteboard:
Keywords:	SELinux

Depends On:
Blocks:	FC2Blocker
	Show dependency tree / graph

Reported:	2004-03-30 18:31 EST by Aleksey Nogin
Modified:	2007-11-30 17:10 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2004-04-07 07:40:04 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Aleksey Nogin 2004-03-30 18:31:55 EST

After the most recent (post-FC2t2) updates to the policy package,
staff_r (and, I am guessing, user_r too) can not run rpm - even "rpm
-q" or "rpm -V". This is IMO wrong. 

If there is a desire to prohibit staff_r from running rpm_exec_t files
(which is probably a good idea), then the /usr/lib/rpm/rpmi should be
marked as rpm_exec_t, while /bin/rpm should become an ordinary bin_t
(and should then always call rpmi for actual rpm installs/upgrades).

Comment 1 Bill Nottingham 2004-03-30 21:39:36 EST

Actually, *everyone* should be able to run rpm -q ; anything else
should be a tunable.

Comment 2 Daniel Walsh 2004-03-30 22:19:06 EST

I am not seeing this.  What avc messages are you getting?

Dan

Comment 3 Aleksey Nogin 2004-03-30 22:41:08 EST

That's the thing - I am not getting any, just the "Permission denied".

% rpm -q rpm
bash: /bin/rpm: Permission denied
% ls -l /bin/rpm
-rwxr-xr-x  1 rpm rpm 75760 ÐÐ°Ñ 16 09:10 /bin/rpm
% ls -lZ /bin/rpm
-rwxr-xr-x+ rpm      rpm      system_u:object_r:rpm_exec_t     /bin/rpm
% id -Z
aleksey:staff_r:staff_t
% ls -lZ /usr/bin/yum
-rwxr-xr-x+ root     root     system_u:object_r:rpm_exec_t    
/usr/bin/yum
% yum
bash: /usr/bin/yum: /usr/bin/python: bad interpreter: Permission denied
% sudo rpm -q policy-sources
policy-sources-1.9.1-2

Comment 4 Daniel Walsh 2004-03-30 22:46:14 EST

Could you do a setenforce 0

Then execute the rpm -q command and see if you get any messages.

Are you on the #selinux chat room?

Dan

Comment 5 Aleksey Nogin 2004-03-30 23:35:59 EST

security_compute_sid:  invalid context aleksey:staff_r:rpm_t for
scontext=aleksey:staff_r:staff_t tcontext=system_u:object_r:rpm_exec_t
tclass=process

Comment 6 Daniel Walsh 2004-03-31 00:11:32 EST

For some reason you are attempting to transition to rpm_t.  You should
not be, for the staff user while not in unlimitedUsers.

Could you check to see if you have a domain_trans for staff_t to rpm_t?

Dan

Comment 7 Aleksey Nogin 2004-03-31 00:15:23 EST

Ah, I do have unlimitedUsers set.

Comment 8 Daniel Walsh 2004-03-31 00:20:07 EST

role staff_r types rpm_t;
If you want to run in unlimitedUsers you need to add the above line to
rpm.te where the transition code is.  I will fix this in the next
policy.  The unlimitedUsers role will be turned off in the next
policy, as we attempt to tighten up the security, in policy.

Comment 9 Aleksey Nogin 2004-03-31 00:34:41 EST

OK, I brough my tunable.te closer to the one currently distributed
(including commenting out the unlimitedUsers) and the problem went
away. Thanks!

Comment 10 Daniel Walsh 2004-03-31 10:09:16 EST

Fixed in policy-1.9.1-4

Note You need to log in before you can comment on or make changes to this bug.