119507 – [unlimitedUsers] staff_r can not run rpm? Should /usr/lib/rpm/rpmi and not /bin/rpm be rpm_exec_t

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 119507 - [unlimitedUsers] staff_r can not run rpm? Should /usr/lib/rpm/rpmi and not /bin/rpm be rpm_exec_t

Summary: [unlimitedUsers] staff_r can not run rpm? Should /usr/lib/rpm/rpmi and not /b...

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	policy
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	FC2Blocker
TreeView+	depends on / blocked

Reported:	2004-03-30 23:31 UTC by Aleksey Nogin
Modified:	2007-11-30 22:10 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-04-07 11:40:04 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Aleksey Nogin 2004-03-30 23:31:55 UTC

After the most recent (post-FC2t2) updates to the policy package,
staff_r (and, I am guessing, user_r too) can not run rpm - even "rpm
-q" or "rpm -V". This is IMO wrong. 

If there is a desire to prohibit staff_r from running rpm_exec_t files
(which is probably a good idea), then the /usr/lib/rpm/rpmi should be
marked as rpm_exec_t, while /bin/rpm should become an ordinary bin_t
(and should then always call rpmi for actual rpm installs/upgrades).

Comment 1 Bill Nottingham 2004-03-31 02:39:36 UTC

Actually, *everyone* should be able to run rpm -q ; anything else
should be a tunable.

Comment 2 Daniel Walsh 2004-03-31 03:19:06 UTC

I am not seeing this.  What avc messages are you getting?

Dan

Comment 3 Aleksey Nogin 2004-03-31 03:41:08 UTC

That's the thing - I am not getting any, just the "Permission denied".

% rpm -q rpm
bash: /bin/rpm: Permission denied
% ls -l /bin/rpm
-rwxr-xr-x  1 rpm rpm 75760 ÐÐ°Ñ 16 09:10 /bin/rpm
% ls -lZ /bin/rpm
-rwxr-xr-x+ rpm      rpm      system_u:object_r:rpm_exec_t     /bin/rpm
% id -Z
aleksey:staff_r:staff_t
% ls -lZ /usr/bin/yum
-rwxr-xr-x+ root     root     system_u:object_r:rpm_exec_t    
/usr/bin/yum
% yum
bash: /usr/bin/yum: /usr/bin/python: bad interpreter: Permission denied
% sudo rpm -q policy-sources
policy-sources-1.9.1-2

Comment 4 Daniel Walsh 2004-03-31 03:46:14 UTC

Could you do a setenforce 0

Then execute the rpm -q command and see if you get any messages.

Are you on the #selinux chat room?

Dan

Comment 5 Aleksey Nogin 2004-03-31 04:35:59 UTC

security_compute_sid:  invalid context aleksey:staff_r:rpm_t for
scontext=aleksey:staff_r:staff_t tcontext=system_u:object_r:rpm_exec_t
tclass=process

Comment 6 Daniel Walsh 2004-03-31 05:11:32 UTC

For some reason you are attempting to transition to rpm_t.  You should
not be, for the staff user while not in unlimitedUsers.

Could you check to see if you have a domain_trans for staff_t to rpm_t?

Dan

Comment 7 Aleksey Nogin 2004-03-31 05:15:23 UTC

Ah, I do have unlimitedUsers set.

Comment 8 Daniel Walsh 2004-03-31 05:20:07 UTC

role staff_r types rpm_t;
If you want to run in unlimitedUsers you need to add the above line to
rpm.te where the transition code is.  I will fix this in the next
policy.  The unlimitedUsers role will be turned off in the next
policy, as we attempt to tighten up the security, in policy.

Comment 9 Aleksey Nogin 2004-03-31 05:34:41 UTC

OK, I brough my tunable.te closer to the one currently distributed
(including commenting out the unlimitedUsers) and the problem went
away. Thanks!

Comment 10 Daniel Walsh 2004-03-31 15:09:16 UTC

Fixed in policy-1.9.1-4

Note You need to log in before you can comment on or make changes to this bug.