RPM itself has extraordinary privilege from existing SELInux policy.
The privilege is dropped if/when rpm does execv(2) by calling rpm_execcon in libselinux.
There are several paths to abuse of the security tags attached to /bin/rpm
that do not call rpm_execcon(2) (using internal lua and or macro evaluation)
if /bin/rpm is hardlinked from somwhere else instead.
Whether there is an exploit by hardlink'ing /bin/rpm is left as an exercise.
Its not just setuid/capabilities attached to an inode that need to be removed.
Another vague comment:
RPM itself has extraordinary privilege from existing SELInux policy.
The privilege is dropped if/when rpm does execv(2) by calling rpm_execcon in libselinux.
There are several paths to abuse of the security tags attached to /bin/rpm
that do not call rpm_execcon(2) (using internal lua and or macro evaluation)
if /bin/rpm is hardlinked from somwhere else instead.
Whether there is an exploit by hardlink'ing /bin/rpm is left as an exercise.
Its not just setuid/capabilities attached to an inode that need to be removed.