Description of problem: When i use smart for RPM management, i receive SELinux denied errors, so I usually have to do a setenforce 0 prior to installing or upgrading packages, then a setenforce 1 afterwards. In enforcing mode, the RPM scriptlets often fail, preventing proper package installation. Version-Release number of selected component (if applicable): smart-0.50-46.fc7 selinux-policy-targeted-2.6.4-13.fc7 How reproducible: Every time. Steps to Reproduce: 1. Set SELinux in enforcing or permissive mode 2. Use smart to install or upgrade a package Actual results: Output from sealert: Source Context user_u:system_r:ldconfig_t Target Context user_u:object_r:rpm_tmp_t Target Objects /tmp/tmpmqgbD6-smart-rpm-out.txt (deleted) [file] Affected RPM Packages glibc-2.6-3 [application] Policy RPM selinux-policy-2.6.4-13.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.home_tmp_bad_labels 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:47:07 EDT 2007 x86_64 x86_64 Alert Count 6 First Seen Sat 09 Jun 2007 09:07:28 PM CDT Last Seen Sat 09 Jun 2007 09:14:16 PM CDT Local ID 85397923-bc24-469e-b74e-a1f0ca2d3026 Line Numbers Raw Audit Messages avc: denied { read, write } for comm="ldconfig" dev=sda2 egid=0 euid=0 exe="/sbin/ldconfig" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="tmpmqgbD6-smart- rpm-out.txt" path=2F746D702F746D706D71676244362D736D6172742D72706D2D6F75742E7478 74202864656C6574656429 pid=5957 scontext=user_u:system_r:ldconfig_t:s0 sgid=0 subj=user_u:system_r:ldconfig_t:s0 suid=0 tclass=file tcontext=user_u:object_r:rpm_tmp_t:s0 tty=pts2 uid=0 Expected results: Smart should be able to install, upgrade or manipulate RPM packages without denial from SELinux.
The problem here is that these tmp files are labeled incorrectly. Running the same rpm programs with rpm or yum would label these files rpm_script_tmp_t which ldconfig would be allow to access. Why are these labeled incorrectly when run from smart.
i do not know why they are. i just installed fc7, did a yum install smart, and started working with smart and the denials appear. i'm not sure if it's an issue with smart not behaving correctly. i have made no special configurations prior to these denials. to note, the same happened in fc6, but i knew i was upgrading, so i waited a bit as many bugs "disappear" after an upgrade thanks to your excellent behind-the-scenes work.
(In reply to comment #1) > The problem here is that these tmp files are labeled incorrectly. Running the > same rpm programs with rpm or yum would label these files rpm_script_tmp_t which > ldconfig would be allow to access. Why are these labeled incorrectly when run > from smart. smart uses rpm-python. Is rpm-python handled by selinux?
Yes, yum uses the same library I believe.
Are the selinux rules attached to rpm-python or yum/rpm? In the former case it should work with smart, too, in the latter one would need to replicate the rules for smart, too. Maybe some smart scripts need some special labeling?
Fixed in selinux-policy-2.6.4-30. smart has the rules attached to it. When it execs scripts they get execed as rpm_script_t
Anthony, does this fix your issue? selinux-policy-2.6.4-30 was pushed tp regular updates, so your system(s) must have picked them up by now. Dan, a user on the smart list pinged me on whether this would also find its way to FC6 (or maybe already has? I see 2.4.6-80.fc6 in updates, but the changelog does not mention smart). Thanks for the fix!
I have selinux-policy-2.6.4-30 now, and with the next set of updates, I'll test and let you know.
I can verify that selinux-policy-2.6.4-30 fixes this issue, at least during the quircky upgrade route for the mythtv/libmyth upgrade. :)
Thanks for reporting and feedback! Closing for F7, this could be still an issue on FC6, though.