Bug 432751 - Latest avc denials
Summary: Latest avc denials
Alias: None
Product: Fedora
Classification: Fedora
Component: rpm
Version: 7
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Panu Matilainen
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2008-02-14 04:51 UTC by dex
Modified: 2008-03-13 03:10 UTC (History)
6 users (show)

Clone Of:
Last Closed: 2008-03-13 03:10:24 UTC

Attachments (Terms of Use)
denial #1 (2.05 KB, application/octet-stream)
2008-02-14 04:51 UTC, dex
no flags Details
denial #2 (2.09 KB, text/plain)
2008-02-14 04:53 UTC, dex
no flags Details
denial #3 (2.03 KB, text/plain)
2008-02-14 04:55 UTC, dex
no flags Details
denial #4 (2.08 KB, text/plain)
2008-02-14 04:55 UTC, dex
no flags Details

Description dex 2008-02-14 04:51:24 UTC
Description of problem:
While doing some updates to today I got these denials. 

SELinux is preventing /sbin/ldconfig (ldconfig_t) "read write" to socket
SELinux is preventing /usr/sbin/groupadd (groupadd_t) "read write" to socket
SELinux is preventing /usr/sbin/nscd (nscd_t) "read write" to socket (unconfined_t).
SELinux is preventing /usr/sbin/groupadd (groupadd_t) "ioctl" to socket

Version-Release number of selected component (if applicable):

How reproducible:
always during updates see alert counts in full logs for details 

Steps to Reproduce:
1. yum update <arbituary-package>
Actual results:

Expected results:
no avc's

Additional info:
This is a recent(2 days ago) relabel so I can't pin it on that,
logs attached.
while updating:

[root@dexterFC5t1 ~]# cat /var/log/yum.log|tail -n 12
Feb 14 03:04:16 Updated: systemtap-runtime - 0.6.1-3.fc7.i386
Feb 14 03:04:21 Updated: systemtap - 0.6.1-3.fc7.i386
Feb 14 03:05:02 Updated: inotify-tools - 3.13-1.fc7.i386
Feb 14 03:05:05 Updated: gparted - 0.3.3-14.fc7.i386
Feb 14 03:05:08 Updated: busybox - 1:1.2.2-10.fc7.i386
Feb 14 03:05:11 Updated: busybox-anaconda - 1:1.2.2-10.fc7.i386
Feb 14 03:05:16 Updated: pkgconfig - 1:0.21-6.fc7.i386
Feb 14 03:05:18 Updated: python-exif - 1.0.7-3.fc7.noarch
Feb 14 03:11:07 Updated: vim-common - 2:7.1.245-1.fc7.i386
Feb 14 03:11:08 Updated: vim-minimal - 2:7.1.245-1.fc7.i386
Feb 14 03:11:19 Updated: vim-X11 - 2:7.1.245-1.fc7.i386
Feb 14 03:11:22 Updated: vim-enhanced - 2:7.1.245-1.fc7.i386

Comment 1 dex 2008-02-14 04:51:24 UTC
Created attachment 294888 [details]
denial #1

Comment 2 dex 2008-02-14 04:53:37 UTC
Created attachment 294889 [details]
denial #2

Comment 3 dex 2008-02-14 04:55:07 UTC
Created attachment 294890 [details]
denial #3

Comment 4 dex 2008-02-14 04:55:57 UTC
Created attachment 294891 [details]
denial #4

Comment 5 Daniel Walsh 2008-02-14 13:25:26 UTC
This looks like a leaked file descriptor from yum.  It can safely be ignored.

SELinux is noting the open unix_stream_socket that yum is leaving open. 
Eventually rpm execs a confined application, and the Kernel closes the
descriptor reporting the access.

Comment 6 Seth Vidal 2008-02-14 13:33:00 UTC
from yum? If it is happening during the transaction I'm pretty sure it is in rpm.

Comment 7 dex 2008-02-14 19:22:39 UTC
[root@dexterFC5t1 ~]# rpm --version
RPM version

Comment 8 Panu Matilainen 2008-02-18 06:12:59 UTC
Yum can cause 'em just as well, been known to happen through urlgrabber leaving
descriptors open in some conditions. Dex, are you able to reproduce it when
upgrading manually with rpm (instead of yum)?

Comment 9 dex 2008-02-27 11:10:00 UTC
I haven't been able to reproduce it manually with rpm -Uvh *.rpm so I'm going
back to yum. unrelated but as a consequence I filled this #435096 against yum-utils.

Comment 10 dex 2008-03-13 03:10:24 UTC
Bugs this late in the day for yum/rpm are a waste of time!

Note You need to log in before you can comment on or make changes to this bug.