tmp files causing issues with selinux

Bug #245984 reported by Rehan Khan
252
Affects Status Importance Assigned to Milestone
Smart Package Manager
Triaged
Medium
netmask

Bug Description

Storing the rpm %pre and %post scripts in /tmp causes issues with systems secured by selinux. For example on Fedora useradd and groupadd are specifically constrained from being run from scripts in /tmp (selinux- targeted policy) so any rpm script which wants to add a user or group will *silently* fail. The only way to see the failure is in setroubleshooter.

Is there a better way/place to process rpm's? If this is an rpm problem how can smart handle this?

Revision history for this message
Rehan Khan (rasker) wrote :

I'm setting this to critical as it makes smart generally unusable on selinux constrained rpm based systems (Fedora 8/9).

Changed in smart:
importance: Undecided → Critical
status: New → Confirmed
description: updated
Revision history for this message
netmask (netmask) wrote :

This is not really an Smart's issue, but a specific selinux config issue instead.

What happens in that all RPM transactions run as a child process of the "/usr/bin/smart". Since Smart is not natively shipped by Fedora, the context is not correctly marked. Check this:

# ls -lZ /usr/bin/yum
-rwxr-xr-x root root system_u:object_r:rpm_exec_t:s0 /usr/bin/yum

# ls -lZ /usr/bin/smart
-rwxr-xr-x root root ? /usr/bin/smart

# chcon system_u:object_r:rpm_exec_t:s0 /usr/bin/smart

# ls -lZ /usr/bin/smart
-rwxr-xr-x root root system_u:object_r:rpm_exec_t:s0 /usr/bin/smart

This is all about context: Smart calls RPM libs, so as Yum. RPM works fine under for Yum under Fedora, because it has the correct context set, so all you need to do is make Smart enter the same context.

In order to confirm, please, run the chcon command above, and try again.

Changed in smart:
assignee: nobody → netmask
importance: Critical → Medium
status: Confirmed → Triaged
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.