On 07/13/2010 09:30 AM, Rahul Sundaram wrote: > On 07/13/2010 06:58 PM, Christopher Brown wrote: >> No. SELinux is unacceptable when it displays ridiculous warning >> messages to users telling them it has detected suspicious activity on >> a system that has ONLY JUST BEEN INSTALLED. >> > > That should have failed the release criteria as it is written > currently. Let the QA team know by citing bug numbers. > > Rahul > All of the bugs like this https://bugzilla.redhat.com/show_bug.cgi?id=567454 The problem is without the rpm_exec_t label it runs as initrc_t which is an unconfiend domain. It creates /tmp output files and redirects the stdout of all packages being updated. If any confined app transitions it attempts to append to a file labeled tmp_t rather then rpm_tmp_t. This caused all confined applications to generate an AVC like node=(removed) type=AVC msg=audit(1266885495.204:24851): avc: denied { read append } for pid=6724 comm="tzdata-update" path="/tmp/tmpNJCaKB" dev=dm-1 ino=110966 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file It is obviously difficult to trace this type of error back to packagekit. It just takes a few seconds to send us a heads up and we can fix the next selinux policy package. These are the things labeled rpm_exec_t on a Fedora machine /usr/libexec/yumDBUSBackend.py /bin/rpm /usr/bin/rpm /usr/bin/yum /usr/sbin/pup /usr/bin/smart /usr/sbin/pirut /usr/bin/apt-get /usr/sbin/up2date /usr/sbin/synaptic /usr/bin/apt-shell /usr/sbin/rhn_check /usr/sbin/yum-updatesd /usr/libexec/packagekitd /usr/libexec/ricci-modrpm /usr/bin/fedora-rmdevelrpms /usr/bin/rpmdev-rmdevelrpms /usr/sbin/system-install-packages /usr/share/yumex/yum_childtask\.py /usr/sbin/yum-complete-transaction /usr/share/yumex/yumex-yum-backend So putting this into the packagekitd package does not make sense. As long as you give us a heads up we can prevent these types of blowups. Since this policy is shared between yum, packagekit -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
