On Tue, 2009-06-30 at 20:29 +0900, Shintaro Fujiwara wrote:
> Hi, I want to yum install or update from certain domain (segatex_t),
> but although I set segatex.te right permission even I dontaudit
> disabled in vain.
> So, I followed Mr. Walsh lecture, asking audit2why.
>
> I still don't know how to solve the problem so please help.
>
> [root@notepc ~]# audit2why -i /var/log/audit/audit.log
> type=AVC msg=audit(1246361092.291:17): avc: denied { transition }
> for pid=3116 comm="segatex" path="/usr/bin/yum" dev=dm-0 ino=594330
> scontext=unconfined_u:unconfined_r:segatex_t:s0
> tcontext=unconfined_u:system_r:rpm_t:s0 tclass=process
>
> Was caused by:
> Policy constraint violation.
>
> May require adding a type attribute to the domain or type to satisfy
> the constraint.
>
> Constraints are defined in the policy sources in policy/constraints
> (general), policy/mcs (MCS), and policy/mls (MLS).
>
> type=AVC msg=audit(1246361092.303:18): avc: denied { transition }
> for pid=3117 comm="segatex" path="/usr/bin/yum" dev=dm-0 ino=594330
> scontext=unconfined_u:unconfined_r:segatex_t:s0
> tcontext=unconfined_u:system_r:rpm_t:s0 tclass=process
>
> Was caused by:
> Policy constraint violation.
>
> May require adding a type attribute to the domain or type to satisfy
> the constraint.
>
> Constraints are defined in the policy sources in policy/constraints
> (general), policy/mcs (MCS), and policy/mls (MLS).
>
I am not sure about this but looking at the rpm_run() and
rpm_transition_script() interfaces, i suspect this may be related:
domain_system_change_exemption(segatex_t)
role_transition unconfined_r rpm_exec_t system_r;
allow unconfined_r system_r;
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
