Bug 236448

Summary: Multiple denies during software upgrade
Product: [Fedora] Fedora Reporter: Michael De La Rue <mvyynqbgerqungqbgpbz.yeuhc>
Component: pirutAssignee: Jeremy Katz <katzj>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-29 18:17:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Description Flags
audit denies during today
exerpt of /var/log/messages (slightly filtered)
update history for packages updated during problem. none

Description Michael De La Rue 2007-04-14 11:15:14 UTC
Description of problem:
During a software upgrade driven by pup, I had multiple AVC denies.  These
included denies on running restorecon, so I suspect that the system state became

The following packages caused alerts
policycoreutils-1.34.1-4.fc6 (due to update of selinux-policy-targeted.noarch?)

Version-Release number of selected component (if applicable):

How reproducible:
Happened once so far.  Reproduction not attempted since it would be a big job.

Steps to Reproduce:
1. pup says there are software updates, say yes
Actual results:
during software updates there are four AVC denies.

Expected results:
software installs silently and correctly

Additional info:

Comment 1 Michael De La Rue 2007-04-14 11:15:15 UTC
Created attachment 152607 [details]
audit denies during today

Comment 2 Michael De La Rue 2007-04-14 11:16:24 UTC
Created attachment 152608 [details]
exerpt of /var/log/messages (slightly filtered)

Comment 3 Michael De La Rue 2007-04-14 11:17:18 UTC
Created attachment 152609 [details]
update history for packages updated during problem.

Comment 4 Daniel Walsh 2007-04-16 14:18:36 UTC
These are leaked file descriptors by pup/rpm, or what ever tool you were using
to update.  Luckily they do not effect the update.  Any app that execs other
apps should make sure that all file descriptors are closed before the exec. 
SELinux checks all open file descriptors for access before running a confined
app, which triggers these avc messages.  After the denial, the kernel closes the
file descriptors and continues the application.

Changing this bug to pirut

Comment 5 Jeremy Katz 2007-04-16 14:39:54 UTC
Do you just see this with pup or do you also see it with just using yum?  I
can't think of anything which would be pup specific here.

Comment 6 Michael De La Rue 2007-05-27 13:09:48 UTC
It was a one off thing and hasn't repeated.  I have run yum directly and have
never seen such a thing again.