Red Hat Bugzilla – Bug 432751
Latest avc denials
Last modified: 2008-03-12 23:10:24 EDT
Description of problem:
While doing some updates to today I got these denials.
SELinux is preventing /sbin/ldconfig (ldconfig_t) "read write" to socket
SELinux is preventing /usr/sbin/groupadd (groupadd_t) "read write" to socket
SELinux is preventing /usr/sbin/nscd (nscd_t) "read write" to socket (unconfined_t).
SELinux is preventing /usr/sbin/groupadd (groupadd_t) "ioctl" to socket
Version-Release number of selected component (if applicable):
always during updates see alert counts in full logs for details
Steps to Reproduce:
1. yum update <arbituary-package>
This is a recent(2 days ago) relabel so I can't pin it on that,
[root@dexterFC5t1 ~]# cat /var/log/yum.log|tail -n 12
Feb 14 03:04:16 Updated: systemtap-runtime - 0.6.1-3.fc7.i386
Feb 14 03:04:21 Updated: systemtap - 0.6.1-3.fc7.i386
Feb 14 03:05:02 Updated: inotify-tools - 3.13-1.fc7.i386
Feb 14 03:05:05 Updated: gparted - 0.3.3-14.fc7.i386
Feb 14 03:05:08 Updated: busybox - 1:1.2.2-10.fc7.i386
Feb 14 03:05:11 Updated: busybox-anaconda - 1:1.2.2-10.fc7.i386
Feb 14 03:05:16 Updated: pkgconfig - 1:0.21-6.fc7.i386
Feb 14 03:05:18 Updated: python-exif - 1.0.7-3.fc7.noarch
Feb 14 03:11:07 Updated: vim-common - 2:7.1.245-1.fc7.i386
Feb 14 03:11:08 Updated: vim-minimal - 2:7.1.245-1.fc7.i386
Feb 14 03:11:19 Updated: vim-X11 - 2:7.1.245-1.fc7.i386
Feb 14 03:11:22 Updated: vim-enhanced - 2:7.1.245-1.fc7.i386
Created attachment 294888 [details]
Created attachment 294889 [details]
Created attachment 294890 [details]
Created attachment 294891 [details]
This looks like a leaked file descriptor from yum. It can safely be ignored.
SELinux is noting the open unix_stream_socket that yum is leaving open.
Eventually rpm execs a confined application, and the Kernel closes the
descriptor reporting the access.
from yum? If it is happening during the transaction I'm pretty sure it is in rpm.
[root@dexterFC5t1 ~]# rpm --version
RPM version 220.127.116.11
Yum can cause 'em just as well, been known to happen through urlgrabber leaving
descriptors open in some conditions. Dex, are you able to reproduce it when
upgrading manually with rpm (instead of yum)?
I haven't been able to reproduce it manually with rpm -Uvh *.rpm so I'm going
back to yum. unrelated but as a consequence I filled this #435096 against yum-utils.
Bugs this late in the day for yum/rpm are a waste of time!