up2date does not work under sudo.

[Stephen Smalley]

On Fri, 2004-03-26 at 05:54, Aleksey Nogin wrote:
> dmesg shows:
> 
> audit(1080298058.273:0): avc:  denied  { transition } for  pid=3821 
> exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903 
> scontext=aleksey:sysadm_r:sysadm_t 
> tcontext=aleksey:sysadm_r:rpm_script_t tclass=process
> audit(1080298058.306:0): avc:  denied  { transition } for  pid=3822 
> exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903 
> scontext=aleksey:sysadm_r:sysadm_t 
> tcontext=aleksey:sysadm_r:rpm_script_t tclass=process
> audit(1080298058.333:0): avc:  denied  { transition } for  pid=3823 
> exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903 
> scontext=aleksey:sysadm_r:sysadm_t 
> tcontext=aleksey:sysadm_r:rpm_script_t tclass=process
> audit(1080298058.431:0): avc:  denied  { transition } for  pid=3824 
> exe=/usr/bin/python path=/bin/bash dev=hda2 ino=3662903 
> scontext=aleksey:sysadm_r:sysadm_t 
> tcontext=aleksey:sysadm_r:rpm_script_t tclass=process

Should /usr/sbin/up2date be labeled with rpm_exec_t, as is the case for
yum?  chcon -t rpm_exec_t /usr/sbin/up2date, and add an entry to rpm.fc
for future relabels.  That should enable the transition from sysadm_t to
rpm_t, which is a necessary precursor to transitioning to rpm_script_t.

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency