[Rpm-maint] [rpm-software-management/rpm] rpm 4.20 triggers a dac_read_search capability request (Issue #3468)

Mon, 25 Nov 2024 07:05:55 -0800 

**Describe the bug**
sudo rpm --rebuilddb
executed by a non-root user finishes successfully, but generates AVC denials.

**To Reproduce**
$ sudo rpm --rebuilddb
$ sudo ausearch -i -m avc -ts recent

**Expected behavior**
No error and no AVC Denial.

**Output**
type=PROCTITLE msg=audit(11/25/2024 09:52:51.327:230) : 
proctitle=/usr/bin/rpmdb --rebuilddb 
type=PATH msg=audit(11/25/2024 09:52:51.327:230) : item=0 
name=~/.config/rpm/rpmrc nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 
cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/25/2024 09:52:51.327:230) : cwd=/home/user1 
type=SYSCALL msg=audit(11/25/2024 09:52:51.327:230) : arch=x86_64 
syscall=access success=no exit=EACCES(Permission denied) a0=0x55cc5de60a70 
a1=R_OK a2=0xffffffffffffff70 a3=0x40 items=1 ppid=1120 pid=1121 auid=user1 
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root 
tty=pts2 ses=3 comm=rpmdb exe=/usr/bin/rpmdb 
subj=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/25/2024 09:52:51.327:230) : avc:  denied  { dac_override 
} for  pid=1121 comm=rpmdb capability=dac_override  
scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 
tcontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tclass=capability 
permissive=0 
type=AVC msg=audit(11/25/2024 09:52:51.327:230) : avc:  denied  { 
dac_read_search } for  pid=1121 comm=rpmdb capability=dac_read_search  
scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 
tcontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023 tclass=capability 
permissive=0 

**Environment**
rpm-4.20.0-1.fc42.x86_64
Seems to be an effect of
https://github.com/rpm-software-management/rpm/issues/2153

**Additional context**
If original user's config is taken into account, denials will always be audited 
given that default homedir permissions are 0700.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3468
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/3...@github.com>
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
https://lists.rpm.org/mailman/listinfo/rpm-maint

Reply via email to