[packagekit] SELinux issues

Matej Cepl mcepl at redhat.com
Thu Oct 11 15:31:40 PDT 2007


Hi,

I don't know how much do you want to get involved with SELinux in 
this early stage of the development, but I am trying (as 
a bugmaster I am supposed to take some level of pain) to use 
Rawhide with SELinux switched on and when I've got working 
setroubleshoot again, I discovered some AVC denials against 
packagekit (see grep packagekit /var/log/audit/audit.log on 
http://www.ceplovi.cz/matej/tmp/selinux-audit-log.txt ) and 
I have generated with audit2allow this policy module:

module mypackagekit 1.0;

require {
	type unconfined_t;
	type var_run_t;
	type usr_t;
	type etc_t;
	type var_t;
	type hald_var_lib_t;
	type system_dbusd_t;
	class process getsched;
	class capability sys_nice;
	class dir { write read search add_name remove_name };
	class file { write getattr read create unlink execute execute_no_trans };
}

#============= system_dbusd_t ==============
allow system_dbusd_t etc_t:file write;
allow system_dbusd_t hald_var_lib_t:dir search;
allow system_dbusd_t self:capability sys_nice;
allow system_dbusd_t self:process getsched;
allow system_dbusd_t unconfined_t:dir search;
allow system_dbusd_t unconfined_t:file { read getattr };
allow system_dbusd_t usr_t:file { execute execute_no_trans };
allow system_dbusd_t var_run_t:file { read getattr unlink };
allow system_dbusd_t var_t:dir { write read add_name remove_name };
allow system_dbusd_t var_t:file { write create unlink getattr };

I have absolutely no clue what does it mean, I may have some 
problems with labelling of my disk (actually /.autorelabel is 
waiting on the next reboot), but I thought that you may be 
interested (in case you know what you see here) in this as a kind 
of possible-problems diagnostics.

Matěj




More information about the PackageKit mailing list