Bug 432751 - Latest avc denials
Latest avc denials
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: rpm (Show other bugs)
7
i686 Linux
low Severity low
: ---
: ---
Assigned To: Panu Matilainen
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-13 23:51 EST by dex
Modified: 2008-03-12 23:10 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-12 23:10:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
denial #1 (2.05 KB, application/octet-stream)
2008-02-13 23:51 EST, dex
no flags Details
denial #2 (2.09 KB, text/plain)
2008-02-13 23:53 EST, dex
no flags Details
denial #3 (2.03 KB, text/plain)
2008-02-13 23:55 EST, dex
no flags Details
denial #4 (2.08 KB, text/plain)
2008-02-13 23:55 EST, dex
no flags Details

  None (edit)
Description dex 2008-02-13 23:51:24 EST
Description of problem:
While doing some updates to today I got these denials. 

SELinux is preventing /sbin/ldconfig (ldconfig_t) "read write" to socket
(unconfined_t).
SELinux is preventing /usr/sbin/groupadd (groupadd_t) "read write" to socket
(unconfined_t).
SELinux is preventing /usr/sbin/nscd (nscd_t) "read write" to socket (unconfined_t).
SELinux is preventing /usr/sbin/groupadd (groupadd_t) "ioctl" to socket
(unconfined_t).

Version-Release number of selected component (if applicable):
selinux-policy-2.6.4-70.fc7

How reproducible:
always during updates see alert counts in full logs for details 

Steps to Reproduce:
1. yum update <arbituary-package>
2.
3.
  
Actual results:
avc's

Expected results:
no avc's

Additional info:
This is a recent(2 days ago) relabel so I can't pin it on that,
logs attached.
while updating:

[root@dexterFC5t1 ~]# cat /var/log/yum.log|tail -n 12
Feb 14 03:04:16 Updated: systemtap-runtime - 0.6.1-3.fc7.i386
Feb 14 03:04:21 Updated: systemtap - 0.6.1-3.fc7.i386
Feb 14 03:05:02 Updated: inotify-tools - 3.13-1.fc7.i386
Feb 14 03:05:05 Updated: gparted - 0.3.3-14.fc7.i386
Feb 14 03:05:08 Updated: busybox - 1:1.2.2-10.fc7.i386
Feb 14 03:05:11 Updated: busybox-anaconda - 1:1.2.2-10.fc7.i386
Feb 14 03:05:16 Updated: pkgconfig - 1:0.21-6.fc7.i386
Feb 14 03:05:18 Updated: python-exif - 1.0.7-3.fc7.noarch
Feb 14 03:11:07 Updated: vim-common - 2:7.1.245-1.fc7.i386
Feb 14 03:11:08 Updated: vim-minimal - 2:7.1.245-1.fc7.i386
Feb 14 03:11:19 Updated: vim-X11 - 2:7.1.245-1.fc7.i386
Feb 14 03:11:22 Updated: vim-enhanced - 2:7.1.245-1.fc7.i386
Comment 1 dex 2008-02-13 23:51:24 EST
Created attachment 294888 [details]
denial #1
Comment 2 dex 2008-02-13 23:53:37 EST
Created attachment 294889 [details]
denial #2
Comment 3 dex 2008-02-13 23:55:07 EST
Created attachment 294890 [details]
denial #3
Comment 4 dex 2008-02-13 23:55:57 EST
Created attachment 294891 [details]
denial #4
Comment 5 Daniel Walsh 2008-02-14 08:25:26 EST
This looks like a leaked file descriptor from yum.  It can safely be ignored.

SELinux is noting the open unix_stream_socket that yum is leaving open. 
Eventually rpm execs a confined application, and the Kernel closes the
descriptor reporting the access.
Comment 6 Seth Vidal 2008-02-14 08:33:00 EST
from yum? If it is happening during the transaction I'm pretty sure it is in rpm.
Comment 7 dex 2008-02-14 14:22:39 EST
[root@dexterFC5t1 ~]# rpm --version
RPM version 4.4.2.2
Comment 8 Panu Matilainen 2008-02-18 01:12:59 EST
Yum can cause 'em just as well, been known to happen through urlgrabber leaving
descriptors open in some conditions. Dex, are you able to reproduce it when
upgrading manually with rpm (instead of yum)?
Comment 9 dex 2008-02-27 06:10:00 EST
I haven't been able to reproduce it manually with rpm -Uvh *.rpm so I'm going
back to yum. unrelated but as a consequence I filled this #435096 against yum-utils.
Comment 10 dex 2008-03-12 23:10:24 EDT
Bugs this late in the day for yum/rpm are a waste of time!

Note You need to log in before you can comment on or make changes to this bug.