Bug 119507 - [unlimitedUsers] staff_r can not run rpm? Should /usr/lib/rpm/rpmi and not /bin/rpm be rpm_exec_t
Summary: [unlimitedUsers] staff_r can not run rpm? Should /usr/lib/rpm/rpmi and not /b...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: policy
Version: rawhide
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks: FC2Blocker
TreeView+ depends on / blocked
 
Reported: 2004-03-30 23:31 UTC by Aleksey Nogin
Modified: 2007-11-30 22:10 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2004-04-07 11:40:04 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Aleksey Nogin 2004-03-30 23:31:55 UTC
After the most recent (post-FC2t2) updates to the policy package,
staff_r (and, I am guessing, user_r too) can not run rpm - even "rpm
-q" or "rpm -V". This is IMO wrong. 

If there is a desire to prohibit staff_r from running rpm_exec_t files
(which is probably a good idea), then the /usr/lib/rpm/rpmi should be
marked as rpm_exec_t, while /bin/rpm should become an ordinary bin_t
(and should then always call rpmi for actual rpm installs/upgrades).

Comment 1 Bill Nottingham 2004-03-31 02:39:36 UTC
Actually, *everyone* should be able to run rpm -q ; anything else
should be a tunable.

Comment 2 Daniel Walsh 2004-03-31 03:19:06 UTC
I am not seeing this.  What avc messages are you getting?

Dan

Comment 3 Aleksey Nogin 2004-03-31 03:41:08 UTC
That's the thing - I am not getting any, just the "Permission denied".

% rpm -q rpm
bash: /bin/rpm: Permission denied
% ls -l /bin/rpm
-rwxr-xr-x  1 rpm rpm 75760 ÐÐ°Ñ 16 09:10 /bin/rpm
% ls -lZ /bin/rpm
-rwxr-xr-x+ rpm      rpm      system_u:object_r:rpm_exec_t     /bin/rpm
% id -Z
aleksey:staff_r:staff_t
% ls -lZ /usr/bin/yum
-rwxr-xr-x+ root     root     system_u:object_r:rpm_exec_t    
/usr/bin/yum
% yum
bash: /usr/bin/yum: /usr/bin/python: bad interpreter: Permission denied
% sudo rpm -q policy-sources
policy-sources-1.9.1-2

Comment 4 Daniel Walsh 2004-03-31 03:46:14 UTC
Could you do a setenforce 0

Then execute the rpm -q command and see if you get any messages.

Are you on the #selinux chat room?

Dan

Comment 5 Aleksey Nogin 2004-03-31 04:35:59 UTC
security_compute_sid:  invalid context aleksey:staff_r:rpm_t for
scontext=aleksey:staff_r:staff_t tcontext=system_u:object_r:rpm_exec_t
tclass=process


Comment 6 Daniel Walsh 2004-03-31 05:11:32 UTC
For some reason you are attempting to transition to rpm_t.  You should
not be, for the staff user while not in unlimitedUsers.

Could you check to see if you have a domain_trans for staff_t to rpm_t?

Dan
 

Comment 7 Aleksey Nogin 2004-03-31 05:15:23 UTC
Ah, I do have unlimitedUsers set.

Comment 8 Daniel Walsh 2004-03-31 05:20:07 UTC
role staff_r types rpm_t;
If you want to run in unlimitedUsers you need to add the above line to
rpm.te where the transition code is.  I will fix this in the next
policy.  The unlimitedUsers role will be turned off in the next
policy, as we attempt to tighten up the security, in policy.

Comment 9 Aleksey Nogin 2004-03-31 05:34:41 UTC
OK, I brough my tunable.te closer to the one currently distributed
(including commenting out the unlimitedUsers) and the problem went
away. Thanks!

Comment 10 Daniel Walsh 2004-03-31 15:09:16 UTC
Fixed in policy-1.9.1-4


Note You need to log in before you can comment on or make changes to this bug.