-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/02/2013 01:51 PM, Dominick Grift wrote:
On Mon, 2013-12-02 at 10:11 -0500, Daniel J Walsh wrote:
On 11/27/2013 05:05 PM, Matthew Miller wrote:
Please see https://bugzilla.redhat.com/show_bug.cgi?id=990910
This is a pretty serious problem -- people need to be able to install packages via cloud-init.
I just built selinux-policy-3.12.1-106.fc20 which should fix this issue in F20, could you try it out and make sure it works for you? --
i do not see how:
- rpm_transition_script(cloud_init_t)
fixes this issue:
avc: denied { transition } for pid=583 comm="yum" path="/usr/bin/bash" dev="xvda1" ino=4597 scontext=system_u:system_r:cloud_init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process
yum is labeled rpm_exec_t:
-rwxr-xr-x. root root system_u:object_r:rpm_exec_t:s0 /usr/bin/yum
there is a rule that makes processes with the cloud_init_t type transition from cloud_init_t to rpm_t on rpm_exec_t:
rpm_domtrans(cloud_init_t)
so if that rule was applied at the point of the test than this event shouldnt have occurred ... unless i am missing something
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
We already added a rpm_domtrans(cloud_init_t) rule. My understanding was they were still getting the transition rule, which was causing problems. I was thinking that the tool had sucked in rpm/yum rules rather then executing a separate binary.