On Mon, 2004-08-23 at 09:44, Russell Coker wrote:
> avc: denied { search } for pid=3019 exe=/usr/sbin/glibc_post_upgrade name=1
> dev=proc ino=65538 scontext=root:sysadm_r:rpm_t
> tcontext=system_u:system_r:init_t tclass=dir
>
> Jeff, it seems that the glibc post upgrade script run when a new glibc package
> is installed gets run as rpm_t not rpm_script_t. Do you have any ideas why
> this is?
The same issue came up with regard to the restarting of sshd by
glibc_post_upgrade; that was leaving sshd in rpm_t until I added a
direct transition from rpm_t to the policy.
At that time, Jeff said that rpm is only running shell interpreters in
rpm_script_t, not executable helper programs like glibc_post_upgrade. I
think that should be changed; any commands executed from the package
spec file should be run in rpm_script_t (but note that this may require
changes to the policy to allow entrypoint permission between
rpm_script_t and other executable types).
--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency
