119208 – /usr/sbin/up2date needs to be rpm_exec_t

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 119208 - /usr/sbin/up2date needs to be rpm_exec_t

Summary: /usr/sbin/up2date needs to be rpm_exec_t

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	policy
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	119538 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-03-26 13:29 UTC by Aleksey Nogin
Modified:	2007-11-30 22:10 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-04-08 13:37:31 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Aleksey Nogin 2004-03-26 13:29:06 UTC

Currently up2date can not run rpm scripts when in enforcing mode:

audit(1080298058.273:0): avc:  denied  { transition } for  pid=3821
exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903
scontext=aleksey:sysadm_r:sysadm_t
tcontext=aleksey:sysadm_r:rpm_script_t tclass=process

Stephen Smalley wrote

> Should /usr/sbin/up2date be labeled with rpm_exec_t, as is the case for
> yum? 
[...]
> That should enable the transition from sysadm_t to
> rpm_t, which is a necessary precursor to transitioning to rpm_script_t.

Comment 1 Daniel Walsh 2004-03-26 15:35:55 UTC

Fixed in policy-1.9-18

Comment 2 Aleksey Nogin 2004-03-30 20:29:39 UTC

In the policy-sources-1.9.1-2 I see that the /usr/bin/up2date is
labeled rpm_script_t, but not the /usr/sbin one. If I understand this
correctly, it is the wrong one - the bin one should probably _not_ be
labeled this way, while the /usr/sbin one should be.

Comment 3 Daniel Walsh 2004-04-05 20:05:09 UTC

Yes this is fixed in 1.9.2-10 or so.  The fixes to up2date and
usermode should be in place by tomorrow.

Dan

Comment 4 Adrian Likins 2004-04-06 20:19:52 UTC

up2date-4.3.15 has this change

Comment 5 Aleksey Nogin 2004-04-09 04:23:17 UTC

*** Bug 119538 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.