Bug 213933 - /usr/sbin/synaptic needs to be labeled as rpm_exec_t in targeted policy, too
Summary: /usr/sbin/synaptic needs to be labeled as rpm_exec_t in targeted policy, too
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 6
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2006-11-03 20:33 UTC by Gérard Milmeister
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Clone Of:
Last Closed: 2007-09-12 17:08:33 UTC

Attachments (Terms of Use)

Description Gérard Milmeister 2006-11-03 20:33:54 UTC
There is a problem when installing packages that have install scripts (%post).
Apparently SELinux prevents it from executing bash. Here is the audit log entry:

type=AVC msg=audit(1162117424.263:1705): avc:  denied  { transition } for  pid=1
6381 comm="synaptic" name="bash" dev=hda2 ino=65603 scontext=system_u:system_r:u
nconfined_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process

With SELinux set to enforce, packages are thus not correctly installed.

Comment 1 Daniel Walsh 2006-11-06 15:34:16 UTC
What tool are you using to install?  It should be labeled rpm_exec_t to work

You might have a labeling problem.

Comment 2 Gérard Milmeister 2006-11-06 15:46:36 UTC
Output of ll -Z:
-rwxr-xr-x  root root system_u:object_r:sbin_t         /usr/sbin/synaptic*

I also did /sbin/restorecon /usr/sbin/synaptic, but this didn't change anything.

Comment 3 Gérard Milmeister 2006-11-06 15:54:07 UTC
In the file_contexts policy file, there is an entry for synaptic for the strict
policy, but not for the targeted policy:
/usr/sbin/synaptic      --      system_u:object_r:apt_exec_t:s0

Comment 4 Daniel Walsh 2006-11-06 18:28:55 UTC
Ok on Fedora this needs to be labeled rpm_exec_t, since it is installing rpms.

I will change this in tonights update

Fixed in selinux-policy-2.4.3-1

Comment 5 Axel Thimm 2006-11-07 09:49:02 UTC
Thanks a lot, Dan!

Comment 6 Gérard Milmeister 2007-02-20 19:47:31 UTC
The policy specifies /usr/bin/synaptic which is linked to consolehelper.
Shouldn't it specify /usr/sbin/synaptic directly, or doesn't it matter?

Comment 7 Daniel Walsh 2007-02-20 21:51:04 UTC
Yes it should be sbin  I will fix in next update.

Comment 8 Daniel Walsh 2007-09-12 17:08:33 UTC
Moving modified bugs to closed

Note You need to log in before you can comment on or make changes to this bug.