Comment # 1 on bug 1231127 from Filippo Bonazzi

Recap after discussion with Fabian.

I provided a tentative solution in
https://build.opensuse.org/package/show/home:fbonazzi:branches:security:SELinux/selinux-policy

The issue still occurs due to a weird call sequence when the /run/rpmdb
lockfile is first created: it's created with the wrong type because apparently
it's created by health-checker.service running as unconfined. I thought at
least the rpm invocation would end up under rpmdb_t... Therefore my fix above
does not actually work as it's not complete.

Current state:

1. calling health-checker via systemd at boot works, but leaves the lockfile
with the wrong label
2. calling health-checker via systemd-run at runtime works, with the existing
lockfile having the wrong label, and leaves it with the wrong label
3. calling health-checker via the shell works, if the lockfile does not exist,
and leaves the lockfile with the right label
4. the AVCs reported in this bug happen in step 3. when the lockfile already
exists with the wrong label

So it seems to me that we can do 1 of 2 things to fix this:

1. change health-checker so that it's run as confined by systemd (perhaps a
dedicated domain? no idea) at least for the rpm invocation part
2. allow the named transition for /run/rpmdb  for unconfined_t as well

Adding Johannes to ask for a second opinion on why health-checker.service would
end up running as unconfined, if that's intentional or if it's a good idea.