Developers of packages please pay attention to selinux labeling.

Daniel J Walsh dwalsh at redhat.com
Tue Jul 13 13:44:28 UTC 2010


On 07/13/2010 09:30 AM, Rahul Sundaram wrote:
> On 07/13/2010 06:58 PM, Christopher Brown wrote:
>> No. SELinux is unacceptable when it displays ridiculous warning
>> messages to users telling them it has detected suspicious activity on
>> a system that has ONLY JUST BEEN INSTALLED.
>>   
> 
> That should have failed the release criteria as it is written
> currently.  Let the QA team know by citing bug numbers.
> 
> Rahul
> 
All of the bugs like this

https://bugzilla.redhat.com/show_bug.cgi?id=567454

The problem is without the rpm_exec_t label it runs as initrc_t which is
an unconfiend domain.  It creates /tmp output files and redirects the
stdout of all packages being updated.  If any confined app transitions
it attempts to append to a file labeled tmp_t rather then rpm_tmp_t.

This caused all confined applications to generate an AVC like

node=(removed) type=AVC msg=audit(1266885495.204:24851): avc:  denied  {
read append } for  pid=6724 comm="tzdata-update" path="/tmp/tmpNJCaKB"
dev=dm-1 ino=110966 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file

It is obviously difficult to trace this type of error back to packagekit.

It just takes a few seconds to send us a heads up and we can fix the
next selinux policy package.

These are the things labeled rpm_exec_t on a Fedora machine

/usr/libexec/yumDBUSBackend.py
/bin/rpm
/usr/bin/rpm
/usr/bin/yum
/usr/sbin/pup
/usr/bin/smart
/usr/sbin/pirut
/usr/bin/apt-get
/usr/sbin/up2date
/usr/sbin/synaptic
/usr/bin/apt-shell
/usr/sbin/rhn_check
/usr/sbin/yum-updatesd
/usr/libexec/packagekitd
/usr/libexec/ricci-modrpm
/usr/bin/fedora-rmdevelrpms
/usr/bin/rpmdev-rmdevelrpms
/usr/sbin/system-install-packages
/usr/share/yumex/yum_childtask\.py
/usr/sbin/yum-complete-transaction
/usr/share/yumex/yumex-yum-backend


So putting this into the packagekitd package does not make sense.

As long as you give us a heads up we can prevent these types of blowups.
Since this policy is shared between yum, packagekit



More information about the devel mailing list