Bug 782151

Summary: RPM Python Bindings are leaking. This has caused a huge leak in setroubleshoot, when it hits an AVC storm.
Product: Red Hat Enterprise Linux 5 Reporter: Daniel Walsh <dwalsh>
Component: rpmAssignee: Packaging Maintenance Team <packaging-team-maint>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.8CC: dmalcolm, ffesti, jnovy, mgrepl, pmatilai
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 782147 Environment:
Last Closed: 2013-03-07 16:40:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 782147    
Bug Blocks: 782150    

Description Daniel Walsh 2012-01-16 16:34:01 UTC 
+++ This bug was initially created as a clone of Bug #782147 +++

setroubleshoot uses the rpm python bindings and is a long running service, Each time an AVC arrives it checks on the version of selinux policy, the kernel, and potentially the version of the source program and the target program to identify which version of the package was being used.  If we are hit with a storm of AVC's we are seeing the memory skyrocket.  We diagnosed the problem to rpm python bindings leaking.  For now we are removing the bindings and going to executing rpm -qf PATH. Not an ideal solution, but we need this fix in RHEL5 and RHEL6. As well as Fedora.

--- Additional comment from dwalsh on 2012-01-16 11:32:37 EST ---

Dave Malcolm, believes he has a fix for this problem.

http://lists.rpm.org/pipermail/rpm-maint/2011-December/003138.html
Comment 1 Panu Matilainen 2013-03-07 16:40:38 UTC 
The python bindings in RHEL-5 differ significantly from those of RHEL-6, and those particular leaks are not present in RHEL-5 AFAICT (hence NOTABUG).

The bindings in RHEL-5 might well have some other leaks (the old librpm API has some unfixable leaks in itself), but those would need to be analyzed separately. Since you already have a workaround in place anyway, I dont think its worth the trouble for RHEL-5 at this point.