If I run rpm -qf /misc from staff_r SELinux role, I get over 40 AVC messages in the log: ... audit(1080728771.854:0): avc: denied { getattr } for pid=29778 exe=/usr/lib/rpm/rpmq path=/lib/modules dev=hda2 ino=3826369 scontext=aleksey:staff_r:staff_t tcontext=system_u:object_r:modules_object_t tclass=dir audit(1080728771.854:0): avc: denied { search } for pid=29778 exe=/usr/lib/rpm/rpmq name=modules dev=hda2 ino=3826369 scontext=aleksey:staff_r:staff_t tcontext=system_u:object_r:modules_object_t tclass=dir audit(1080728771.855:0): avc: denied { search } for pid=29778 exe=/usr/lib/rpm/rpmq name=modules dev=hda2 ino=3826369 scontext=aleksey:staff_r:staff_t tcontext=system_u:object_r:modules_object_t tclass=dir audit(1080728771.855:0): avc: denied { search } for pid=29778 exe=/usr/lib/rpm/rpmq name=modules dev=hda2 ino=3826369 scontext=aleksey:staff_r:staff_t tcontext=system_u:object_r:modules_object_t tclass=dir audit(1080728771.855:0): avc: denied { search } for pid=29778 exe=/usr/lib/rpm/rpmq name=modules dev=hda2 ino=3826369 scontext=aleksey:staff_r:staff_t tcontext=system_u:object_r:modules_object_t tclass=dir audit(1080728771.855:0): avc: denied { getattr } for pid=29778 exe=/usr/lib/rpm/rpmq path=/lib/modules dev=hda2 ino=3826369 scontext=aleksey:staff_r:staff_t tcontext=system_u:object_r:modules_object_t tclass=dir audit(1080728771.927:0): avc: denied { search } for pid=29778 exe=/usr/lib/rpm/rpmq name=selinux dev=hda2 ino=3712021 scontext=aleksey:staff_r:staff_t tcontext=system_u:object_r:policy_config_t tclass=dir audit(1080728771.928:0): avc: denied { search } for pid=29778 exe=/usr/lib/rpm/rpmq name=selinux dev=hda2 ino=3712021 scontext=aleksey:staff_r:staff_t tcontext=system_u:object_r:policy_config_t tclass=dir audit(1080728771.928:0): avc: denied { search } for pid=29778 exe=/usr/lib/rpm/rpmq name=selinux dev=hda2 ino=3712021 scontext=aleksey:staff_r:staff_t tcontext=system_u:object_r:policy_config_t tclass=dir audit(1080728771.928:0): avc: denied { getattr } for pid=29778 exe=/usr/lib/rpm/rpmq path=/etc/security/selinux dev=hda2 ino=3712021 scontext=aleksey:staff_r:staff_t tcontext=system_u:object_r:policy_config_t tclass=dir audit(1080728771.929:0): avc: denied { search } for pid=29778 exe=/usr/lib/rpm/rpmq name=selinux dev=hda2 ino=3712021 scontext=aleksey:staff_r:staff_t tcontext=system_u:object_r:policy_config_t tclass=dir audit(1080728771.929:0): avc: denied { search } for pid=29778 exe=/usr/lib/rpm/rpmq name=selinux dev=hda2 ino=3712021 scontext=aleksey:staff_r:staff_t tcontext=system_u:object_r:policy_config_t tclass=dir audit(1080728771.929:0): avc: denied { search } for pid=29778 exe=/usr/lib/rpm/rpmq name=selinux dev=hda2 ino=3712021 scontext=aleksey:staff_r:staff_t tcontext=system_u:object_r:policy_config_t tclass=dir audit(1080728771.929:0): avc: denied { getattr } for pid=29778 exe=/usr/lib/rpm/rpmq path=/etc/security/selinux dev=hda2 ino=3712021 scontext=aleksey:staff_r:staff_t tcontext=system_u:object_r:policy_config_t tclass=dir Does rpmq really need to look at all these? Should some of it be allowed (e.g. by giving rpmq its own type)? I have rpm-4.3-0.22 policy-sources-1.9.1-2
There is a bug in the policy, that allows you to partially transition to the rpm role. The latest policy 1.9.1-4 turns off unlimitedUsers, which would eliminate this bug. It also puts the proper role transition code in place to allow the staff_r to fully transition to rpm_t role if you tun with unlimitedUsers.
I am currently running w/o unlimitedUsers. And the other question still stands - does rpmq need to look at all this stuff? I am just asking it to tell me what package the /misc directory belongs to; why does it need to look at the selinux and kernel module directories to answer this question?
I am seeing none of these messages rpm -q -f /misc Gives me no errors.
This problem appears to be resolved.