Bug 632573

Summary: AVC on yum install, change policy to dontaudit
Product: Red Hat Enterprise Linux 5 Reporter: Trevor McKay <tmckay>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: low    
Version: 5.5CC: dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-21 05:21:15 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Attachments:
Description Flags
This is the yum repository configuration file in use when the AVC appeared.
none
This is the ouput from the altert. none

Description Trevor McKay 2010-09-10 09:17:16 EDT
Created attachment 446509 [details]
This is the yum repository configuration file in use when the AVC appeared.

Description of problem:

Received the attached AVC after install of a package.  Consulted dwalsh on #selinux IRC channel who determined this was from a leaked file descriptor suggested filing a BZ calling for an selinux policy change.

Version-Release number of selected component (if applicable):

This was RHEL5.5 Server installed from internal Red Hat ISO.

How reproducible:

uncertain.  Happened twice in the same day, not happening next day.

Steps to Reproduce:
1.  Install the condor-qmf package.  (As of 9/10/2010, this was not yet released and was not available from the main RHN channel. I used the mrg-devel repository for yum to install this.  The repository configuration file is attached)

2.
3.
  
Actual results:

The AVC alert shows up.

Expected results:

There should be no alert.

Additional info:

Snippet from #selinux IRC conversation:
(05:16:22 PM) dwalsh: tmckay: Leaked file descriptor
(05:16:29 PM) dwalsh: Nothing to worry about.
(05:16:38 PM) tmckay: dwalsh, thanks.
(05:16:50 PM) dwalsh: This is setfiles running in a post install script with its stdout set to the fifo_file owned by rpm.
(05:16:55 PM) dwalsh: Everything worked fine.
(05:17:35 PM) mcepl left the room (quit: Ping timeout: 240 seconds).
(05:18:35 PM) mattf: dwalsh, anything we can do to avoid throwing the avc? if it's all ok should the default policy be changed?
(05:18:52 PM) dwalsh: yes
(05:19:00 PM) dwalsh: It should be dontaudited.
(05:19:14 PM) dwalsh: Open a bugzilla
(05:20:10 PM) mattf: component?
(05:20:13 PM) dwalsh: In Current policy it is allowed 
(05:20:15 PM) dwalsh: audit2allow -i /tmp/t
(05:20:16 PM) dwalsh: #============= setfiles_t ==============
(05:20:16 PM) dwalsh: #!!!! This avc is allowed in the current policy
(05:20:16 PM) dwalsh: allow setfiles_t rpm_script_t:fifo_file write;
(05:20:20 PM) dwalsh: selinux-policy
Comment 1 Trevor McKay 2010-09-10 09:18:13 EDT
Created attachment 446511 [details]
This is the ouput from the altert.
Comment 2 Daniel Walsh 2010-09-10 10:46:45 EDT
Miroslav can you grab the rpm_dontaudit_leaks code from RHEL6 and backport it to RHEL5.

	rpm_dontaudit_leaks(domain)
Comment 3 Miroslav Grepl 2010-09-24 06:32:34 EDT
Fixed in selinux-policy-2.4.6-285.el5.noarch
Comment 4 RHEL Product and Program Management 2011-01-11 14:55:01 EST
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 5 RHEL Product and Program Management 2011-01-12 10:08:42 EST
This request was erroneously denied for the current release of
Red Hat Enterprise Linux.  The error has been fixed and this
request has been re-proposed for the current release.
Comment 9 errata-xmlrpc 2011-07-21 05:21:15 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Comment 10 errata-xmlrpc 2011-07-21 07:49:48 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html