Bug 361151 - SELinux deny actions to packagekitd
Summary: SELinux deny actions to packagekitd
Alias: None
Product: Fedora
Classification: Fedora
Component: PackageKit
Version: 8
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2007-11-01 01:06 UTC by William Caban
Modified: 2018-04-11 14:24 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-04-10 14:40:48 UTC
Type: ---

Attachments (Terms of Use)
Some more avc messages (9.73 KB, text/plain)
2007-11-29 20:36 UTC, Robin Norwood
no flags Details

Description William Caban 2007-11-01 01:06:13 UTC
Description of problem:
SELinux is denying access from get-updates.py to any system files like:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. just install it and let it run
Actual results:
SELinux denies any access to the system so the result is that with SELinux fully
enable this package does not function.

Comment 1 Robin Norwood 2007-11-20 17:26:02 UTC
For what it's worth, here's a sample of the messages that I get running PK in
'permissive' mode:

Nov 20 11:04:57 solitude kernel: audit(1195574697.903:580): avc:  denied  { read
} for  pid=8853 comm="packagekitd" name="stat" dev=proc ino=1351878
tcontext=system_u:system_r:unconfined_t:s0 tclass=file

(etc, etc)

It looks to me that packagekitd should be running in it's own context, not
dbus's.  (packagekitd is started by dbus)

Comment 2 Luke Macken 2007-11-20 18:06:17 UTC
Dan said that this should be fixed with tonights rawhide.

Comment 3 Robin Norwood 2007-11-29 20:36:48 UTC
Created attachment 273301 [details]
Some more avc messages

It looks like I missed some avc messages in my first report to Dan.  Here's the
complete list, and a quick breakdown of what each one is:

o Packagekit creating and using the sqlite database files it needs at

o Something about ' denied  { getsched } for  pid=23842 comm="packagekitd"'

o Running the yum 'helpers':
'denied  { execute_no_trans } for  pid=23848 comm="packagekitd"

(There are various other helper scripts in /usr/share/PackageKit/helpers, not
just get-updates.  Each one essentially runs yum to do different things.)

o Accessing the rpm db: 

denied	{ getattr } for  pid=23848 comm="get-updates.py"

(This error occurs even with the updated policy.  Is this because it is the
helper script run by packagekitd instead of packagekitd itself accessing the
rpm db?)

o Several other yum/RPM related actions run by the get-updates.py helper
script.  There are 15 or so other helper scripts that would want to have
the same access, the get-updates one is just the one I hapenned to run.

Comment 4 Daniel Walsh 2007-12-01 13:48:06 UTC
packagekitd should be run as rpm_t, and should be labeled rpm_exec_t.

Fixed in selinux-policy-3.0.8-62.fc8

Comment 5 Robin Norwood 2008-01-03 16:42:53 UTC
This appears to be fixed.  Closing.

Comment 6 Robin Norwood 2008-02-22 14:19:34 UTC
Hi Dan,

PK now has a separate daemon process that handles the yum actions:

host=solitude.devel.redhat.com type=AVC msg=audit(1203689526.603:14): avc:
denied { getsched } for pid=2765 comm="yumDBUSBackend."
tcontext=system_u:system_r:system_dbusd_t:s0 tclass=process
host=solitude.devel.redhat.com type=SYSCALL msg=audit(1203689526.603:14):
arch=40000003 syscall=155 success=yes exit=0 a0=acd a1=b7f7f8cc a2=4b3ff4
a3=b7f7f6c0 items=0 ppid=2764 pid=2765 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="yumDBUSBackend."
exe="/usr/bin/python" subj=system_u:system_r:system_dbusd_t:s0 key=(null) 

I gather this needs to be fixed in the same way as packagekitd was in comment #4.

Comment 7 Daniel Walsh 2008-02-22 14:45:17 UTC
What package contains yumDBUSBackend?

Comment 8 Robin Norwood 2008-03-03 15:38:14 UTC
Hi Dan, sorry for the delay - it comes from PackageKit (the main package).  The
version in rawhide now doesn't use yumDBUSBackend yet, though.

Comment 9 Daniel Walsh 2008-03-03 15:43:37 UTC
What is the path?

Need transition from system_dbusd_t->rpm_exec_t->rpm_t

When is it going to be in Rawhide?

Comment 10 Robin Norwood 2008-03-19 16:10:56 UTC
The path is: /usr/libexec/yumDBUSBackend.py

It's already in rawhide, but is not the default backend - the default backend is
currently still the old yum backend that we already have rules for.  It might
become the default backend during the beta, or we might stay with the current
yum backend, it all depends on if the new backend is 'ready' or not.

Comment 11 Daniel Walsh 2008-03-19 19:21:32 UTC
Fixed in selinux-policy-3.3.1-22.fc9

Comment 12 Robin Norwood 2008-04-10 14:40:48 UTC
Closing this, as I haven't seen any SELinux AVC denials lately.  Thanks, Dan.

Note You need to log in before you can comment on or make changes to this bug.