4:54 a.m.
This seems to be new. With policy-sources-1.9-15 if I try running
up2date from sudo -r sysadm_r (from a staff user), it fails to actually
install the packages:
Name Version Rel Channel
----------------------------------------------------------------------
xorg-x11-xdm 0.0.6.6 0.0.2004_03_11.9rawhide
xorg-x11-xfs 0.0.6.6 0.0.2004_03_11.9rawhide
Testing package set / solving RPM inter-dependencies...
########################################
xorg-x11-xdm-0.0.6.6-0.0.20 ########################## Done.
xorg-x11-xfs-0.0.6.6-0.0.20 ########################## Done.
xorg-x11-0.0.6.6-0.0.2004_0 ########################## Done.
Preparing ########################################### [100%]
The following Packages were marked to be skipped by your configuration:
Name Version Rel Reason
-------------------------------------------------------------------------------
ocaml 3.07 0.fdr.5.1.90Pkg
name/pattern
The following packages were added to your selection to satisfy dependencies:
Name Version Release
--------------------------------------------------------------
xorg-x11 0.0.6.6 0.0.2004_03_11.9
dmesg shows:
audit(1080298058.273:0): avc: denied { transition } for pid=3821
exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903
scontext=aleksey:sysadm_r:sysadm_t
tcontext=aleksey:sysadm_r:rpm_script_t tclass=process
audit(1080298058.306:0): avc: denied { transition } for pid=3822
exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903
scontext=aleksey:sysadm_r:sysadm_t
tcontext=aleksey:sysadm_r:rpm_script_t tclass=process
audit(1080298058.333:0): avc: denied { transition } for pid=3823
exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903
scontext=aleksey:sysadm_r:sysadm_t
tcontext=aleksey:sysadm_r:rpm_script_t tclass=process
audit(1080298058.431:0): avc: denied { transition } for pid=3824
exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903
scontext=aleksey:sysadm_r:sysadm_t
tcontext=aleksey:sysadm_r:rpm_script_t tclass=process
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
7:21 a.m.
On Fri, 2004-03-26 at 05:54, Aleksey Nogin wrote:
dmesg shows:
audit(1080298058.273:0): avc: denied { transition } for pid=3821
exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903
scontext=aleksey:sysadm_r:sysadm_t
tcontext=aleksey:sysadm_r:rpm_script_t tclass=process
audit(1080298058.306:0): avc: denied { transition } for pid=3822
exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903
scontext=aleksey:sysadm_r:sysadm_t
tcontext=aleksey:sysadm_r:rpm_script_t tclass=process
audit(1080298058.333:0): avc: denied { transition } for pid=3823
exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903
scontext=aleksey:sysadm_r:sysadm_t
tcontext=aleksey:sysadm_r:rpm_script_t tclass=process
audit(1080298058.431:0): avc: denied { transition } for pid=3824
exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903
scontext=aleksey:sysadm_r:sysadm_t
tcontext=aleksey:sysadm_r:rpm_script_t tclass=process
Should /usr/sbin/up2date be labeled with rpm_exec_t, as is the case for
yum? chcon -t rpm_exec_t /usr/sbin/up2date, and add an entry to rpm.fc
for future relabels. That should enable the transition from sysadm_t to
rpm_t, which is a necessary precursor to transitioning to rpm_script_t.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency
7:35 a.m.
On 26.03.2004 05:21, Stephen Smalley wrote:
Should /usr/sbin/up2date be labeled with rpm_exec_t, as is the case
for
yum?
Thanks, fixed it in my local policies and filed
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=119208
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
7343
days inactive
7343
days old
selinux@lists.fedoraproject.org
2 comments
2 participants
participants (2)
-
Aleksey Nogin -
Stephen Smalley