Bug 129697 - switchExecType doesn't handle MLS component of security context
Summary: switchExecType doesn't handle MLS component of security context
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: rpm
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jeff Johnson
QA Contact: Mike McLean
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-08-11 21:00 UTC by Chad Hanson
Modified: 2007-11-30 22:10 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2004-11-14 04:55:50 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
Fix for MLS bug (1.01 KB, patch)
2004-08-26 17:15 UTC, Chad Hanson 		no flags Details | Diff
View All

Description Chad Hanson 2004-08-11 21:00:07 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; AT&T 
CSM6.0)

Description of problem:
switchExecType() (lib/psm.c) simply strips the value after the last : 
in the security context and replaces it with the new type. This 
breaks when MLS is enabled since MLS range is the fourth element of 
the security context. Thus the code replaces a part or the entire MLS 
range with a new domain.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
Run rpm on a SELinux system with MLS enabled.

Additional info:
Comment 2 Chad Hanson 2004-08-26 17:15:36 UTC 
Created attachment 103127 [details]
Fix for MLS bug
Comment 3 Chad Hanson 2004-08-26 17:17:58 UTC 
With the mls.patch applied, rpm will always run scriptlets in the 
correct security context regardless of whether MLS is enabled or not.

Please apply.

  rpm-4.3.2/lib/psm.c |   23 ++++++++++++++++++++---
  1 files changed, 20 insertions(+), 3 deletions(-)
Comment 4 Jeff Johnson 2004-11-14 04:55:50 UTC 
Fixed by using rpm_execcon, a execve clone, from libselinux
in rpm-4.3.3-1.
Note You need to log in before you can comment on or make changes to this bug.