Bug ID 1231127
Summary SELinux: health-checker change causes denial
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter fvogt@suse.com
QA Contact qa-bugs@suse.de
CC fcrozat@suse.com, iforster@suse.com
Target Milestone ---
Found By ---
Blocker --- 

With https://github.com/openSUSE/health-checker/pull/21/files, health-checker
calls rpm --verifydb with a custom lock path because /usr/ is not writable.

The modified check fails now because SELinux blocks rpm from writing to
/run/rpmdb:

type=AVC msg=audit(1727697272.028:122): avc:  denied  { open } for  pid=2368
comm="rpmdb" path="/run/rpmdb" dev="tmpfs" ino=2281
scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1727697272.028:123): avc:  denied  { open } for  pid=2368
comm="rpmdb" path="/run/rpmdb" dev="tmpfs" ino=2281
scontext=unconfined_u:unconfined_r:rpmdb_t:s0-s0:c0.c1023
tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0

You are receiving this mail because: