Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 213933 - /usr/sbin/synaptic needs to be labeled as rpm_exec_t in targeted policy, too
/usr/sbin/synaptic needs to be labeled as rpm_exec_t in targeted policy, too
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2006-11-03 15:33 EST by Gérard Milmeister
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-09-12 13:08:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Gérard Milmeister 2006-11-03 15:33:54 EST
There is a problem when installing packages that have install scripts (%post).
Apparently SELinux prevents it from executing bash. Here is the audit log entry:

type=AVC msg=audit(1162117424.263:1705): avc:  denied  { transition } for  pid=1
6381 comm="synaptic" name="bash" dev=hda2 ino=65603 scontext=system_u:system_r:u
nconfined_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process

With SELinux set to enforce, packages are thus not correctly installed.
Comment 1 Daniel Walsh 2006-11-06 10:34:16 EST
What tool are you using to install?  It should be labeled rpm_exec_t to work

You might have a labeling problem.
Comment 2 Gérard Milmeister 2006-11-06 10:46:36 EST
Output of ll -Z:
-rwxr-xr-x  root root system_u:object_r:sbin_t         /usr/sbin/synaptic*

I also did /sbin/restorecon /usr/sbin/synaptic, but this didn't change anything.
Comment 3 Gérard Milmeister 2006-11-06 10:54:07 EST
In the file_contexts policy file, there is an entry for synaptic for the strict
policy, but not for the targeted policy:
/usr/sbin/synaptic      --      system_u:object_r:apt_exec_t:s0
Comment 4 Daniel Walsh 2006-11-06 13:28:55 EST
Ok on Fedora this needs to be labeled rpm_exec_t, since it is installing rpms.

I will change this in tonights update

Fixed in selinux-policy-2.4.3-1
Comment 5 Axel Thimm 2006-11-07 04:49:02 EST
Thanks a lot, Dan!
Comment 6 Gérard Milmeister 2007-02-20 14:47:31 EST
The policy specifies /usr/bin/synaptic which is linked to consolehelper.
Shouldn't it specify /usr/sbin/synaptic directly, or doesn't it matter?
Comment 7 Daniel Walsh 2007-02-20 16:51:04 EST
Yes it should be sbin  I will fix in next update.
Comment 8 Daniel Walsh 2007-09-12 13:08:33 EDT
Moving modified bugs to closed

Note You need to log in before you can comment on or make changes to this bug.