Bug 129697 - switchExecType doesn't handle MLS component of security context
switchExecType doesn't handle MLS component of security context
Product: Fedora
Classification: Fedora
Component: rpm (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jeff Johnson
Mike McLean
Depends On:
  Show dependency treegraph
Reported: 2004-08-11 17:00 EDT by Chad Hanson
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-11-13 23:55:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Fix for MLS bug (1.01 KB, patch)
2004-08-26 13:15 EDT, Chad Hanson
no flags Details | Diff

  None (edit)
Description Chad Hanson 2004-08-11 17:00:07 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; AT&T 

Description of problem:
switchExecType() (lib/psm.c) simply strips the value after the last : 
in the security context and replaces it with the new type. This 
breaks when MLS is enabled since MLS range is the fourth element of 
the security context. Thus the code replaces a part or the entire MLS 
range with a new domain.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Run rpm on a SELinux system with MLS enabled.

Additional info:
Comment 2 Chad Hanson 2004-08-26 13:15:36 EDT
Created attachment 103127 [details]
Fix for MLS bug
Comment 3 Chad Hanson 2004-08-26 13:17:58 EDT
With the mls.patch applied, rpm will always run scriptlets in the 
correct security context regardless of whether MLS is enabled or not.

Please apply.

  rpm-4.3.2/lib/psm.c |   23 ++++++++++++++++++++---
  1 files changed, 20 insertions(+), 3 deletions(-)

Comment 4 Jeff Johnson 2004-11-13 23:55:50 EST
Fixed by using rpm_execcon, a execve clone, from libselinux
in rpm-4.3.3-1.

Note You need to log in before you can comment on or make changes to this bug.