Description of problem: This may be the same as https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120854 but I do not believe it is. System FC2-T3 fresh everything install plus all updates from development as of 6 May. I believe that I should be able to run up2date under the same conditions that I can run system-logviewer and this is not the case. The different situations are described below: user_r - logviewer prompts for root's password, then runs - up2date prompts for root's password but then DOES NOT run staff_r - logviewer prompts for staff-user's password and then runs - up2date prompts for staff-user's password and then DOES NOT run sysadm_r - logviewer prmpts for sysadm-user's password and then runs - up2date prompts for sysadm-user's password and then runs Example of denied message in /var/log/messages: May 7 05:19:12 hummer kernel: audit(1083921552.173:0): avc: denied { transition } for pid=3278 exe=/usr/sbin/userhelper path=/usr/sbin/up2date dev=hda6 ino=775144 scontext=czarcing:staff_r:staff_userhelper_t tcontext=czarcing:sysadm_r:rpm_t tclass=process The sysadm/staff user is defined in /etc/security/selinux/src/policy/users the same as the example"jadmin". That is, when I login as the user I get staff_r but can switch to sysadm_r with the newrole command. However, because of the way things are working, I cannot start up2date from the menu .. only by using the newrol command to switch to sysadm_r and then invoking up2date from that command line. Here is the output of "ps axZ" for various conditions: 4030 user_u:user_r:user_t /usr/bin/system-logviewer 4031 user_u:user_r:user_userhelper_t /usr/sbin/userhelper -w system-lo 4033 root:sysadm_r:sysadm_t python /usr/share/system-logviewe 3593 czarcing:staff_r:staff_t /usr/bin/system-logviewer 3594 czarcing:staff_r:staff_userhelper_t /usr/sbin/userhelper -w system-lo 3596 czarcing:sysadm_r:sysadm_t python /usr/share/system-logviewe 3604 czarcing:staff_r:staff_t up2date 3605 czarcing:staff_r:staff_userhelper_t /usr/sbin/userhelper -w up2date 3608 czarcing:sysadm_r:rpm_t /usr/bin/python -u /usr/sbin/up2d It would be nice to get this fixed before FC2 final but, if not, then as soon after as practical. The "behavior" of up2date is not what a user would expect.
Fixed in the current release. Please try a policy in rawhide. selinux-policy-strict-1.18.1-1 or greater