From Bugzilla Helper: User-Agent: Mozilla/5.0 (compatible; Konqueror/3.1; Linux) Description of problem: avc: denied { read } for pid=2116 exe=/sbin/ldconfig path=/var/cache/yum/development/packages/nss_ldap-207-6.i386.rpm dev=hda1 ino=440249 scontext=root:sysadm_r:ldconfig_t tcontext=root:object_r:var_t tclass=file Above is the error message returned when a library package is installed on an SE Linux system. The file handle for the rpm is inherited by ldconfig from either YUM or RPM. Not sure which, if it's not done by yum then please re-assign to RPM. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: Install a library package. Expected Results: Should not have inherited the open file. Additional info:
yum never calls ldconfig directly so I'm guessing this is happening during the %post of the rpm install. Also changing this to test1 so it can be more easily picked up in searches.
file handle is RDONLY at EOF, yes. There's a whole class of problems here, not just ldconfig, and possibly not just the *.rpm file handle. Can you describe the context and goal of the policy so that I can try to address the entire class of problems across all packages in the distro please?
Handled by imposing FD_CLOSEXEC on fdno's 3-100. UPSTREAM becasue the better fix is to do in yum itself.