Bug 432751

Summary: Latest avc denials
Product: [Fedora] Fedora Reporter: dex <dex.mbox>
Component: rpmAssignee: Panu Matilainen <pmatilai>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 7CC: ffesti, james.antill, katzj, pmatilai, pnasrat, tim.lauridsen
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-13 03:10:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
denial #1
none
denial #2
none
denial #3
none
denial #4 none

Description dex 2008-02-14 04:51:24 UTC 
Description of problem:
While doing some updates to today I got these denials. 

SELinux is preventing /sbin/ldconfig (ldconfig_t) "read write" to socket
(unconfined_t).
SELinux is preventing /usr/sbin/groupadd (groupadd_t) "read write" to socket
(unconfined_t).
SELinux is preventing /usr/sbin/nscd (nscd_t) "read write" to socket (unconfined_t).
SELinux is preventing /usr/sbin/groupadd (groupadd_t) "ioctl" to socket
(unconfined_t).

Version-Release number of selected component (if applicable):
selinux-policy-2.6.4-70.fc7

How reproducible:
always during updates see alert counts in full logs for details 

Steps to Reproduce:
1. yum update <arbituary-package>
2.
3.
  
Actual results:
avc's

Expected results:
no avc's

Additional info:
This is a recent(2 days ago) relabel so I can't pin it on that,
logs attached.
while updating:

[root@dexterFC5t1 ~]# cat /var/log/yum.log|tail -n 12
Feb 14 03:04:16 Updated: systemtap-runtime - 0.6.1-3.fc7.i386
Feb 14 03:04:21 Updated: systemtap - 0.6.1-3.fc7.i386
Feb 14 03:05:02 Updated: inotify-tools - 3.13-1.fc7.i386
Feb 14 03:05:05 Updated: gparted - 0.3.3-14.fc7.i386
Feb 14 03:05:08 Updated: busybox - 1:1.2.2-10.fc7.i386
Feb 14 03:05:11 Updated: busybox-anaconda - 1:1.2.2-10.fc7.i386
Feb 14 03:05:16 Updated: pkgconfig - 1:0.21-6.fc7.i386
Feb 14 03:05:18 Updated: python-exif - 1.0.7-3.fc7.noarch
Feb 14 03:11:07 Updated: vim-common - 2:7.1.245-1.fc7.i386
Feb 14 03:11:08 Updated: vim-minimal - 2:7.1.245-1.fc7.i386
Feb 14 03:11:19 Updated: vim-X11 - 2:7.1.245-1.fc7.i386
Feb 14 03:11:22 Updated: vim-enhanced - 2:7.1.245-1.fc7.i386
Comment 1 dex 2008-02-14 04:51:24 UTC 
Created attachment 294888 [details]
denial #1
Comment 2 dex 2008-02-14 04:53:37 UTC 
Created attachment 294889 [details]
denial #2
Comment 3 dex 2008-02-14 04:55:07 UTC 
Created attachment 294890 [details]
denial #3
Comment 4 dex 2008-02-14 04:55:57 UTC 
Created attachment 294891 [details]
denial #4
Comment 5 Daniel Walsh 2008-02-14 13:25:26 UTC 
This looks like a leaked file descriptor from yum.  It can safely be ignored.

SELinux is noting the open unix_stream_socket that yum is leaving open. 
Eventually rpm execs a confined application, and the Kernel closes the
descriptor reporting the access.
Comment 6 Seth Vidal 2008-02-14 13:33:00 UTC 
from yum? If it is happening during the transaction I'm pretty sure it is in rpm.
Comment 7 dex 2008-02-14 19:22:39 UTC 
[root@dexterFC5t1 ~]# rpm --version
RPM version 4.4.2.2
Comment 8 Panu Matilainen 2008-02-18 06:12:59 UTC 
Yum can cause 'em just as well, been known to happen through urlgrabber leaving
descriptors open in some conditions. Dex, are you able to reproduce it when
upgrading manually with rpm (instead of yum)?
Comment 9 dex 2008-02-27 11:10:00 UTC 
I haven't been able to reproduce it manually with rpm -Uvh *.rpm so I'm going
back to yum. unrelated but as a consequence I filled this #435096 against yum-utils.
Comment 10 dex 2008-03-13 03:10:24 UTC 
Bugs this late in the day for yum/rpm are a waste of time!