Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 119208
| Summary: | /usr/sbin/up2date needs to be rpm_exec_t | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Aleksey Nogin <aleksey> |
| Component: | policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | alikins, dwalsh, gczarcinski, pgraner |
| Target Milestone: | --- | Keywords: | SELinux |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2004-04-08 13:37:31 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fixed in policy-1.9-18 In the policy-sources-1.9.1-2 I see that the /usr/bin/up2date is labeled rpm_script_t, but not the /usr/sbin one. If I understand this correctly, it is the wrong one - the bin one should probably _not_ be labeled this way, while the /usr/sbin one should be. Yes this is fixed in 1.9.2-10 or so. The fixes to up2date and usermode should be in place by tomorrow. Dan up2date-4.3.15 has this change *** Bug 119538 has been marked as a duplicate of this bug. *** |
Currently up2date can not run rpm scripts when in enforcing mode: audit(1080298058.273:0): avc: denied { transition } for pid=3821 exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903 scontext=aleksey:sysadm_r:sysadm_t tcontext=aleksey:sysadm_r:rpm_script_t tclass=process Stephen Smalley wrote > Should /usr/sbin/up2date be labeled with rpm_exec_t, as is the case for > yum? [...] > That should enable the transition from sysadm_t to > rpm_t, which is a necessary precursor to transitioning to rpm_script_t.