Bug 119660 - Should rpmbuild be allowed to read/etc/security/selinux/file_contexts?
Should rpmbuild be allowed to read/etc/security/selinux/file_contexts?
Product: Fedora
Classification: Fedora
Component: policy (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
: SELinux
Depends On:
  Show dependency treegraph
Reported: 2004-04-01 01:09 EST by Aleksey Nogin
Modified: 2007-11-30 17:10 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-05-10 11:07:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Aleksey Nogin 2004-04-01 01:09:18 EST
rpmbuild tries reading /etc/security/selinux/file_contexts when it
created the actual packages. If it is run from an unpriviledged role
(as it is supposed to), that access would not be allowed:

audit(1080795463.870:0): avc:  denied  { search } for  pid=1483
exe=/usr/lib/rpm/rpmb name=selinux dev=hda2 ino=3712021
tcontext=system_u:object_r:policy_config_t tclass=dir

Should it be allowed?
Comment 1 Daniel Walsh 2004-04-01 13:39:02 EST
Fixed in policy-1.9.2-2

I am allowing it.  Might end up being a tunable.
Comment 2 Gene Czarcinski 2004-04-05 11:01:21 EDT
OK, this does not make sense ... policy 1.9.2-10 (with policy. renamed
to policy.16).

I have a local (private) rpm build tree.  When I try to install a
src.rpm package, rpm is trying to access file_contexts.  Why is this
Comment 3 Daniel Walsh 2004-04-05 14:21:14 EDT
It is trying to read the file context of the file that you are
assigning.  There should be a change in that policy to allow user to
read that file.

Comment 4 Gene Czarcinski 2004-04-05 15:50:52 EDT
Which version of policy has the fix.  I am running 1.9.2-10 and it has
the problem.

My problem is not the original one (with rpmbuild) ... it is with rpm
installing a src.rpm into a local/private build tree owned by a
regular user.
Comment 5 Daniel Walsh 2004-04-05 16:06:40 EDT
It dissappeared.  I am adding it back in.

Look for it tomorrow.

Basically need

r_dir_file($1_t, policy_config_t) 

in base_user_role inside the macro.

Comment 6 Gene Czarcinski 2004-04-06 09:47:18 EDT
OK, it looks like the problem reported here is fixed in polic 1.9.2-12

However, the effect appears to cause other problem which will be
separately reported.

Note You need to log in before you can comment on or make changes to this bug.