Description of problem: SELinux is denying access from get-updates.py to any system files like: /sbin/ldconfig /var/lib/PackageKit/transactions.db /var/lib/rpm/Packages /var/cache/yum/utopia/porimary.xml.gz.sqlite pipes /var/lib/rpm /var/cache/yum/fedora/cachecookie Version-Release number of selected component (if applicable): gnome-packagekit-0.1.2-0.215.20071030svn.fc7.hughsie PackageKit-libs-0.1.2-0.278.20071030git.fc7.hughsie PackageKit-0.1.2-0.278.20071030git.fc7.hughsie How reproducible: alway Steps to Reproduce: 1. just install it and let it run Actual results: SELinux denies any access to the system so the result is that with SELinux fully enable this package does not function.
For what it's worth, here's a sample of the messages that I get running PK in 'permissive' mode: Nov 20 11:04:57 solitude kernel: audit(1195574697.903:580): avc: denied { read } for pid=8853 comm="packagekitd" name="stat" dev=proc ino=1351878 scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=file (etc, etc) It looks to me that packagekitd should be running in it's own context, not dbus's. (packagekitd is started by dbus)
Dan said that this should be fixed with tonights rawhide.
Created attachment 273301 [details] Some more avc messages It looks like I missed some avc messages in my first report to Dan. Here's the complete list, and a quick breakdown of what each one is: o Packagekit creating and using the sqlite database files it needs at /var/lib/PackageKit/transactions.db o Something about ' denied { getsched } for pid=23842 comm="packagekitd"' o Running the yum 'helpers': 'denied { execute_no_trans } for pid=23848 comm="packagekitd" path="/usr/share/PackageKit/helpers/yum/get-updates.py"' (There are various other helper scripts in /usr/share/PackageKit/helpers, not just get-updates. Each one essentially runs yum to do different things.) o Accessing the rpm db: denied { getattr } for pid=23848 comm="get-updates.py" path="/var/lib/rpm/__db.001" (This error occurs even with the updated policy. Is this because it is the helper script run by packagekitd instead of packagekitd itself accessing the rpm db?) o Several other yum/RPM related actions run by the get-updates.py helper script. There are 15 or so other helper scripts that would want to have the same access, the get-updates one is just the one I hapenned to run.
packagekitd should be run as rpm_t, and should be labeled rpm_exec_t. Fixed in selinux-policy-3.0.8-62.fc8
This appears to be fixed. Closing.
Hi Dan, PK now has a separate daemon process that handles the yum actions: host=solitude.devel.redhat.com type=AVC msg=audit(1203689526.603:14): avc: denied { getsched } for pid=2765 comm="yumDBUSBackend." scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=process host=solitude.devel.redhat.com type=SYSCALL msg=audit(1203689526.603:14): arch=40000003 syscall=155 success=yes exit=0 a0=acd a1=b7f7f8cc a2=4b3ff4 a3=b7f7f6c0 items=0 ppid=2764 pid=2765 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="yumDBUSBackend." exe="/usr/bin/python" subj=system_u:system_r:system_dbusd_t:s0 key=(null) I gather this needs to be fixed in the same way as packagekitd was in comment #4.
What package contains yumDBUSBackend?
Hi Dan, sorry for the delay - it comes from PackageKit (the main package). The version in rawhide now doesn't use yumDBUSBackend yet, though.
What is the path? Need transition from system_dbusd_t->rpm_exec_t->rpm_t When is it going to be in Rawhide?
The path is: /usr/libexec/yumDBUSBackend.py It's already in rawhide, but is not the default backend - the default backend is currently still the old yum backend that we already have rules for. It might become the default backend during the beta, or we might stay with the current yum backend, it all depends on if the new backend is 'ready' or not.
Fixed in selinux-policy-3.3.1-22.fc9
Closing this, as I haven't seen any SELinux AVC denials lately. Thanks, Dan.