Description of problem:
During a software upgrade driven by pup, I had multiple AVC denies. These
included denies on running restorecon, so I suspect that the system state became
The following packages caused alerts
policycoreutils-1.34.1-4.fc6 (due to update of selinux-policy-targeted.noarch?)
Version-Release number of selected component (if applicable):
Happened once so far. Reproduction not attempted since it would be a big job.
Steps to Reproduce:
1. pup says there are software updates, say yes
during software updates there are four AVC denies.
software installs silently and correctly
Created attachment 152607 [details]
audit denies during today
Created attachment 152608 [details]
exerpt of /var/log/messages (slightly filtered)
Created attachment 152609 [details]
update history for packages updated during problem.
These are leaked file descriptors by pup/rpm, or what ever tool you were using
to update. Luckily they do not effect the update. Any app that execs other
apps should make sure that all file descriptors are closed before the exec.
SELinux checks all open file descriptors for access before running a confined
app, which triggers these avc messages. After the denial, the kernel closes the
file descriptors and continues the application.
Changing this bug to pirut
Do you just see this with pup or do you also see it with just using yum? I
can't think of anything which would be pup specific here.
It was a one off thing and hasn't repeated. I have run yum directly and have
never seen such a thing again.