Re: Should Yum and up2date understand SELinux roles

[Daniel J Walsh <dwalsh@xxxxxxxxxx>]

Tom Mitchell wrote:

> Should yum check "id" for sysadm_r role?
>
> Since %pre and %post actions are problematic a partial install could
> result that may not be simple to fix.
>
> Here is a yum session that shows the interaction that is prompting my
> question.  Note the scriptlet error followed by "Transaction(s) Complete".
>
>
>    # yum install xorg-x11-100dpi-fonts
>    Gathering header information file(s) from server(s)
>    Server: Fedora Core 1.91 - Development Tree
>    Finding updated packages
>    Downloading needed headers
>    Resolving dependencies
>    Dependencies resolved
>    I will do the following:
>    [install: xorg-x11-100dpi-fonts 0.0.6.6-0.0.2004_03_11.9.i386]
>    Is this ok [y/N]: y
>    Downloading Packages
>    Getting xorg-x11-100dpi-fonts-0.0.6.6-0.0.2004_03_11.9.i386.rpm
>    xorg-x11-100dpi-fonts-0.0 100% |=========================| 4.2 MB    05:26
>    Running test transaction:
>    Test transaction complete, Success!
>    xorg-x11-100dpi-fonts 100 % done 1/1
>    error: setexeccon(root:staff_r:rpm_script_t) fails from context "root:staff_r:staff_t": Invalid argument
>    error: %post(xorg-x11-100dpi-fonts-0.0.6.6-0.0.2004_03_11.9) scriptlet failed, exit status 255
>    Installed:  xorg-x11-100dpi-fonts 0.0.6.6-0.0.2004_03_11.9.i386
>    Transaction(s) Complete
>
>    # id
>    uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:staff_r:staff_t
>
>    # newrole -r sysadm_r
>    Authenticating root.
>    Password:
>
>    # rpm -e xorg-x11-100dpi-fonts
>
>    #  yum install xorg-x11-100dpi-fonts
>    Gathering header information file(s) from server(s)
>    Server: Fedora Core 1.91 - Development Tree
>    Finding updated packages
>    Downloading needed headers
>    Resolving dependencies
>    Dependencies resolved
>    I will do the following:
>    [install: xorg-x11-100dpi-fonts 0.0.6.6-0.0.2004_03_11.9.i386]
>    Is this ok [y/N]: y
>    Downloading Packages
>    Running test transaction:
>    Test transaction complete, Success!
>    xorg-x11-100dpi-fonts 100 % done 1/1
>    Installed:  xorg-x11-100dpi-fonts 0.0.6.6-0.0.2004_03_11.9.i386
>    Transaction(s) Complete
>
>
>  
No if unlimitedUsers tunable is set the following rule needs to be added 
to rpm.te

ifdef(`unlimitedUsers', `
domain_auto_trans(staff_t, rpm_exec_t, rpm_t)
')


>