Description of problem: During a software upgrade driven by pup, I had multiple AVC denies. These included denies on running restorecon, so I suspect that the system state became incorrect. The following packages caused alerts shadow-utils-4.0.17-12.fc6 module-init-tools-3.3-0.pre1.4.17 policycoreutils-1.34.1-4.fc6 (due to update of selinux-policy-targeted.noarch?) iputils-20020927-41.fc Version-Release number of selected component (if applicable): selinux-policy-2.4.6-54.fc6 How reproducible: Happened once so far. Reproduction not attempted since it would be a big job. Steps to Reproduce: 1. pup says there are software updates, say yes 2. 3. Actual results: during software updates there are four AVC denies. Expected results: software installs silently and correctly Additional info:
Created attachment 152607 [details] audit denies during today
Created attachment 152608 [details] exerpt of /var/log/messages (slightly filtered)
Created attachment 152609 [details] update history for packages updated during problem.
These are leaked file descriptors by pup/rpm, or what ever tool you were using to update. Luckily they do not effect the update. Any app that execs other apps should make sure that all file descriptors are closed before the exec. SELinux checks all open file descriptors for access before running a confined app, which triggers these avc messages. After the denial, the kernel closes the file descriptors and continues the application. Changing this bug to pirut
Do you just see this with pup or do you also see it with just using yum? I can't think of anything which would be pup specific here.
It was a one off thing and hasn't repeated. I have run yum directly and have never seen such a thing again.