Bug 465790

Summary: SELinux is preventing restorecon (restorecon_t) "read write" to socket (rpm_t).
Product: Red Hat Enterprise Linux 5 Reporter: James B. Byrne <byrnejb>
Component: rpmAssignee: Panu Matilainen <pmatilai>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.2CC: ffesti
Target Milestone: rc   
Target Release: ---   
Hardware: ia64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-07 12:33:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description James B. Byrne 2008-10-06 13:05:01 UTC 
Summary:

SELinux is preventing restorecon (restorecon_t) "read write" to socket (rpm_t).

Detailed Description:

SELinux denied access requested by restorecon. It is not expected that this
access is required by restorecon and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                root:system_r:restorecon_t:SystemLow-SystemHigh
Target Context                root:system_r:rpm_t:SystemLow-SystemHigh
Target Objects                socket [ tcp_socket ]
Source                        restorecon
Source Path                   /sbin/restorecon
Port                          <Unknown>
Host                          x
Source RPM Packages           policycoreutils-1.33.12-14.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-137.1.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     x
Platform                      Linux x
                              2.6.18-92.el5xen #1 SMP Tue Jun 10 19:20:18 EDT
                              2008 x86_64 x86_64
Alert Count                   7
First Seen                    Sat 04 Oct 2008 07:38:52 PM EDT
Last Seen                     Sat 04 Oct 2008 08:00:41 PM EDT
Local ID                      23b41dee-b644-45be-8ceb-dab3fd0d8c37
Line Numbers                  

Raw Audit Messages            

host=x type=AVC msg=audit(1223164841.253:104): avc:  denied  { read write } for  pid=12341 comm="restorecon" path="socket:[79114]" dev=sockfs ino=79114 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:system_r:rpm_t:s0-s0:c0.c1023 tclass=tcp_socket

host=x type=AVC msg=audit(1223164841.253:104): avc:  denied  { read write } for  pid=12341 comm="restorecon" path="socket:[79127]" dev=sockfs ino=79127 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:system_r:rpm_t:s0-s0:c0.c1023 tclass=tcp_socket

host=x type=AVC msg=audit(1223164841.253:104): avc:  denied  { read write } for  pid=12341 comm="restorecon" path="socket:[79134]" dev=sockfs ino=79134 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:system_r:rpm_t:s0-s0:c0.c1023 tclass=tcp_socket

host=x type=AVC msg=audit(1223164841.253:104): avc:  denied  { read write } for  pid=12341 comm="restorecon" path="socket:[79142]" dev=sockfs ino=79142 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:system_r:rpm_t:s0-s0:c0.c1023 tclass=tcp_socket

host=x type=AVC msg=audit(1223164841.253:104): avc:  denied  { write } for  pid=12341 comm="restorecon" path="/var/lib/yum/transaction-done.2008-10-04.19:38.55" dev=dm-0 ino=11929811 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:object_r:var_lib_t:s0 tclass=file

host=x type=AVC msg=audit(1223164841.253:104): avc:  denied  { read } for  pid=12341 comm="restorecon" path="/var/cache/yum/updates/packages/bind-chroot-9.3.4-6.0.2.P1.el5_2.x86_64.rpm" dev=dm-0 ino=11961480 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:object_r:var_t:s0 tclass=file

host=x type=AVC msg=audit(1223164841.253:104): avc:  denied  { read write } for  pid=12341 comm="restorecon" path="/var/lib/rpm/__db.000" dev=dm-0 ino=11929751 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:object_r:rpm_var_lib_t:s0 tclass=file

host=x type=SYSCALL msg=audit(1223164841.253:104): arch=c000003e syscall=59 success=yes exit=0 a0=132a26d0 a1=132a2600 a2=132a23b0 a3=65 items=0 ppid=12339 pid=12341 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="restorecon" exe="/sbin/restorecon" subj=root:system_r:restorecon_t:s0-s0:c0.c1023 key=(null)
Comment 1 Florian Festi 2009-09-02 13:26:19 UTC 
I fail to see why this is an rpm problem. Next try: selinux-policy.
Comment 2 Daniel Walsh 2009-09-02 14:00:01 UTC 
Well it is actually a leaked file descriptor in either yum or rpm.  restorecon does not look at /var/lib/rpm/__db.000 or the tcp_socket.

All file descriptors in yum/rpm should be closed on exec, to prevent leaks of file descriptors.

Since one of the links is

/var/lib/yum/transaction-done.2008-10-04.19:38.55

I will blame it on yum for now.

fcntl(fd, F_SETFD, FD_CLOEXEC) or similar for python.
Comment 3 seth vidal 2009-09-02 17:09:30 UTC 
Are you saying all the filedescriptors should be closed when the selinux scriptlet is exec'd or am I misreading you here.
Comment 4 Florian Festi 2009-09-07 12:33:58 UTC 
Sorry for the confusion. It is rpm's responsibility to set fcntl(fd, F_SETFD, FD_CLOEXEC) for all file descriptors before calling the scriptlets. This is done but not at the right place.

*** This bug has been marked as a duplicate of bug 222822 ***