https://bugzilla.suse.com/show_bug.cgi?id=1231127 https://bugzilla.suse.com/show_bug.cgi?id=1231127#c1 Filippo Bonazzi <filippo.bonazzi@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jsegitz@suse.com --- Comment #1 from Filippo Bonazzi <filippo.bonazzi@suse.com> --- Recap after discussion with Fabian. I provided a tentative solution in https://build.opensuse.org/package/show/home:fbonazzi:branches:security:SELi... The issue still occurs due to a weird call sequence when the /run/rpmdb lockfile is first created: it's created with the wrong type because apparently it's created by health-checker.service running as unconfined. I thought at least the rpm invocation would end up under rpmdb_t... Therefore my fix above does not actually work as it's not complete. Current state: 1. calling health-checker via systemd at boot works, but leaves the lockfile with the wrong label 2. calling health-checker via systemd-run at runtime works, with the existing lockfile having the wrong label, and leaves it with the wrong label 3. calling health-checker via the shell works, if the lockfile does not exist, and leaves the lockfile with the right label 4. the AVCs reported in this bug happen in step 3. when the lockfile already exists with the wrong label So it seems to me that we can do 1 of 2 things to fix this: 1. change health-checker so that it's run as confined by systemd (perhaps a dedicated domain? no idea) at least for the rpm invocation part 2. allow the named transition for /run/rpmdb for unconfined_t as well Adding Johannes to ask for a second opinion on why health-checker.service would end up running as unconfined, if that's intentional or if it's a good idea. -- You are receiving this mail because: You are on the CC list for the bug.