Comment 26 for bug 634183

Another vague comment:

RPM itself has extraordinary privilege from existing SELInux policy.

The privilege is dropped if/when rpm does execv(2) by calling rpm_execcon in libselinux.

There are several paths to abuse of the security tags attached to /bin/rpm
that do not call rpm_execcon(2) (using internal lua and or macro evaluation)
if /bin/rpm is hardlinked from somwhere else instead.

Whether there is an exploit by hardlink'ing /bin/rpm is left as an exercise.

Its not just setuid/capabilities attached to an inode that need to be removed.