Bug 243580 - SELinux denial when installing RPM packages using smart
Summary: SELinux denial when installing RPM packages using smart
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 7
Hardware: All Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2007-06-10 03:30 UTC by Anthony Messina
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version: 2.6.4-30
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-08-10 23:28:53 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Anthony Messina 2007-06-10 03:30:21 UTC
Description of problem:
When i use smart for RPM management, i receive SELinux denied errors, so I
usually have to do a setenforce 0 prior to installing or upgrading packages,
then a setenforce 1 afterwards.

In enforcing mode, the RPM scriptlets often fail, preventing proper package

Version-Release number of selected component (if applicable):

How reproducible:
Every time.

Steps to Reproduce:
1. Set SELinux in enforcing or permissive mode
2. Use smart to install or upgrade a package
Actual results:

Output from sealert:

Source Context                user_u:system_r:ldconfig_t
Target Context                user_u:object_r:rpm_tmp_t
Target Objects                /tmp/tmpmqgbD6-smart-rpm-out.txt (deleted) [file]
Affected RPM Packages         glibc-2.6-3 [application]
Policy RPM                    selinux-policy-2.6.4-13.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.home_tmp_bad_labels
                              2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:47:07 EDT
                              2007 x86_64 x86_64
Alert Count                   6
First Seen                    Sat 09 Jun 2007 09:07:28 PM CDT
Last Seen                     Sat 09 Jun 2007 09:14:16 PM CDT
Local ID                      85397923-bc24-469e-b74e-a1f0ca2d3026
Line Numbers                  

Raw Audit Messages            

avc: denied { read, write } for comm="ldconfig" dev=sda2 egid=0 euid=0
exe="/sbin/ldconfig" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="tmpmqgbD6-smart-
rpm-out.txt" path=2F746D702F746D706D71676244362D736D6172742D72706D2D6F75742E7478
74202864656C6574656429 pid=5957 scontext=user_u:system_r:ldconfig_t:s0 sgid=0
subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=file
tcontext=user_u:object_r:rpm_tmp_t:s0 tty=pts2 uid=0

Expected results:
Smart should be able to install, upgrade or manipulate RPM packages without
denial from SELinux.

Comment 1 Daniel Walsh 2007-06-11 15:12:43 UTC
The problem here is that these tmp files are labeled incorrectly.  Running the
same rpm programs with rpm or yum would label these files rpm_script_tmp_t which
ldconfig would be allow to access.  Why are these labeled incorrectly when run
from smart.

Comment 2 Anthony Messina 2007-06-11 15:35:53 UTC
i do not know why they are.  i just installed fc7, did a yum install smart, and
started working with smart and the denials appear.  i'm not sure if it's an
issue with smart not behaving correctly.  i have made no special configurations
prior to these denials.

to note, the same happened in fc6, but i knew i was upgrading, so i waited a bit
as many bugs "disappear" after an upgrade thanks to your excellent
behind-the-scenes work.

Comment 3 Axel Thimm 2007-06-11 19:28:17 UTC
(In reply to comment #1)
> The problem here is that these tmp files are labeled incorrectly.  Running the
> same rpm programs with rpm or yum would label these files rpm_script_tmp_t which
> ldconfig would be allow to access.  Why are these labeled incorrectly when run
> from smart.

smart uses rpm-python. Is rpm-python handled by selinux?

Comment 4 Daniel Walsh 2007-06-12 15:19:47 UTC
Yes, yum uses the same library I believe.

Comment 5 Axel Thimm 2007-08-02 11:36:07 UTC
Are the selinux rules attached to rpm-python or yum/rpm? In the former case it
should work with smart, too, in the latter one would need to replicate the rules
for smart, too.

Maybe some smart scripts need some special labeling?

Comment 6 Daniel Walsh 2007-08-02 19:15:07 UTC
Fixed in selinux-policy-2.6.4-30.

smart has the rules attached to it.  When it execs scripts they get execed as

Comment 7 Axel Thimm 2007-08-10 10:08:41 UTC
Anthony, does this fix your issue? selinux-policy-2.6.4-30 was pushed tp regular
updates, so your system(s) must have picked them up by now.

Dan, a user on the smart list pinged me on whether this would also find its way
to FC6 (or maybe already has? I see 2.4.6-80.fc6 in updates, but the changelog
does not mention smart). Thanks for the fix!

Comment 8 Anthony Messina 2007-08-10 20:07:42 UTC
I have selinux-policy-2.6.4-30 now, and with the next set of updates, I'll test
and let you know.

Comment 9 Anthony Messina 2007-08-10 21:04:34 UTC
I can verify that selinux-policy-2.6.4-30 fixes this issue, at least during the
quircky upgrade route for the mythtv/libmyth upgrade.  :)

Comment 10 Axel Thimm 2007-08-10 23:28:53 UTC
Thanks for reporting and feedback!

Closing for F7, this could be still an issue on FC6, though.

Note You need to log in before you can comment on or make changes to this bug.