rpmbuild tries reading /etc/security/selinux/file_contexts when it created the actual packages. If it is run from an unpriviledged role (as it is supposed to), that access would not be allowed: audit(1080795463.870:0): avc: denied { search } for pid=1483 exe=/usr/lib/rpm/rpmb name=selinux dev=hda2 ino=3712021 scontext=aleksey:staff_r:staff_t tcontext=system_u:object_r:policy_config_t tclass=dir Should it be allowed?
Fixed in policy-1.9.2-2 I am allowing it. Might end up being a tunable.
OK, this does not make sense ... policy 1.9.2-10 (with policy. renamed to policy.16). I have a local (private) rpm build tree. When I try to install a src.rpm package, rpm is trying to access file_contexts. Why is this necessary?
It is trying to read the file context of the file that you are assigning. There should be a change in that policy to allow user to read that file. Dan
Which version of policy has the fix. I am running 1.9.2-10 and it has the problem. My problem is not the original one (with rpmbuild) ... it is with rpm installing a src.rpm into a local/private build tree owned by a regular user.
It dissappeared. I am adding it back in. Look for it tomorrow. Basically need r_dir_file($1_t, policy_config_t) in base_user_role inside the macro.
OK, it looks like the problem reported here is fixed in polic 1.9.2-12 However, the effect appears to cause other problem which will be separately reported.