Developers of packages please pay attention to selinux labeling.

Daniel J Walsh dwalsh at
Tue Jul 13 13:44:28 UTC 2010

On 07/13/2010 09:30 AM, Rahul Sundaram wrote:
> On 07/13/2010 06:58 PM, Christopher Brown wrote:
>> No. SELinux is unacceptable when it displays ridiculous warning
>> messages to users telling them it has detected suspicious activity on
>> a system that has ONLY JUST BEEN INSTALLED.
> That should have failed the release criteria as it is written
> currently.  Let the QA team know by citing bug numbers.
> Rahul
All of the bugs like this

The problem is without the rpm_exec_t label it runs as initrc_t which is
an unconfiend domain.  It creates /tmp output files and redirects the
stdout of all packages being updated.  If any confined app transitions
it attempts to append to a file labeled tmp_t rather then rpm_tmp_t.

This caused all confined applications to generate an AVC like

node=(removed) type=AVC msg=audit(1266885495.204:24851): avc:  denied  {
read append } for  pid=6724 comm="tzdata-update" path="/tmp/tmpNJCaKB"
dev=dm-1 ino=110966 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file

It is obviously difficult to trace this type of error back to packagekit.

It just takes a few seconds to send us a heads up and we can fix the
next selinux policy package.

These are the things labeled rpm_exec_t on a Fedora machine


So putting this into the packagekitd package does not make sense.

As long as you give us a heads up we can prevent these types of blowups.
Since this policy is shared between yum, packagekit

More information about the devel mailing list