Created attachment 772062 [details] output of ausearch -m avc -ts recent OpenLMI-Software provider needs a policy. This is similar request as bz979037. The provider should be allowed to manipulate with software rpm packages. Remove them, install them, updated them etc. It uses yum APIs and rpmlib from python and should be allowed to do anything, that yum is allowed. As instructed, I created dummy policy and put it into kernel: $ cat >mypol.te policy_module(mypol,1.0) pegasus_openlmi_domain_template(pycmpiLMI_Software) ^D $ make -f /usr/share/selinux/devel/Makefile mypol.pp $ semodule -i mypol.pp $ chcon -t pegasus_openlmi_pycmpiLMI_Software_t /usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt (that's the provider executable) Audit messages from my test suite are attached.
I am thinking try to label it as rpm_exec_t. Could you add to your local policy require{ type pegasus_t; } rpm_domtrans(pegasus_t) and run $ make -f /usr/share/selinux/devel/Makefile mypol.pp $ semodule -i mypol.pp $ chcon -t rpm_exec_t /usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt and re-test it. Thank you.
Thank you Mirek. All passed :-), no AVCs.
selinux-policy-3.12.1-69.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-69.fc19
Package selinux-policy-3.12.1-69.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-69.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-14089/selinux-policy-3.12.1-69.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-69.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.