Bug 119660 - Should rpmbuild be allowed to read/etc/security/selinux/file_contexts?
Summary: Should rpmbuild be allowed to read/etc/security/selinux/file_contexts?
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: policy
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-04-01 06:09 UTC by Aleksey Nogin
Modified: 2007-11-30 22:10 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2004-05-10 15:07:32 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Aleksey Nogin 2004-04-01 06:09:18 UTC
rpmbuild tries reading /etc/security/selinux/file_contexts when it
created the actual packages. If it is run from an unpriviledged role
(as it is supposed to), that access would not be allowed:

audit(1080795463.870:0): avc:  denied  { search } for  pid=1483
exe=/usr/lib/rpm/rpmb name=selinux dev=hda2 ino=3712021
scontext=aleksey:staff_r:staff_t
tcontext=system_u:object_r:policy_config_t tclass=dir

Should it be allowed?

Comment 1 Daniel Walsh 2004-04-01 18:39:02 UTC
Fixed in policy-1.9.2-2

I am allowing it.  Might end up being a tunable.


Comment 2 Gene Czarcinski 2004-04-05 15:01:21 UTC
OK, this does not make sense ... policy 1.9.2-10 (with policy. renamed
to policy.16).

I have a local (private) rpm build tree.  When I try to install a
src.rpm package, rpm is trying to access file_contexts.  Why is this
necessary?

Comment 3 Daniel Walsh 2004-04-05 18:21:14 UTC
It is trying to read the file context of the file that you are
assigning.  There should be a change in that policy to allow user to
read that file.

Dan

Comment 4 Gene Czarcinski 2004-04-05 19:50:52 UTC
Which version of policy has the fix.  I am running 1.9.2-10 and it has
the problem.

My problem is not the original one (with rpmbuild) ... it is with rpm
installing a src.rpm into a local/private build tree owned by a
regular user.

Comment 5 Daniel Walsh 2004-04-05 20:06:40 UTC
It dissappeared.  I am adding it back in.

Look for it tomorrow.

Basically need

r_dir_file($1_t, policy_config_t) 

in base_user_role inside the macro.



Comment 6 Gene Czarcinski 2004-04-06 13:47:18 UTC
OK, it looks like the problem reported here is fixed in polic 1.9.2-12

However, the effect appears to cause other problem which will be
separately reported.


Note You need to log in before you can comment on or make changes to this bug.