Created attachment 322664 [details] AVCs generated from execute semodule -i postgresqllocal.pp Description of problem: I compiled a postgresqllocal.pp module because a few missing selinux rules in postgresql and when I try to execute: - semodule -i postgresqllocal.pp as root - selinux policy generate the AVC attached so I did the following to solve the problem -generate a semodulelocal.pp from the AVC attached, - disabled enforcing mode - inserted the semodulelocal.pp - enabled enforcing mode - inserted postgresqllocal.pp Version-Release number of selected component (if applicable): selinux-policy-targeted-3.5.13-11.fc10.noarch additional selinux rpms installed libselinux-2.0.73-1.fc10.i386 libselinux-devel-2.0.73-1.fc10.i386 libselinux-python-2.0.73-1.fc10.i386 libselinux-utils-2.0.73-1.fc10.i386 selinux-policy-3.5.13-11.fc10.noarch How reproducible: always Actual results: AVC generated and denied normal operation of postgresql Expected results: inserted posgresqllocal.pp and not AVC Additional info:
The terminal or program you are using to run semodule is leaking a file descriptor. Are you doing this from kconsole? audit2allow -i semodulelocal #============= load_policy_t ============== allow load_policy_t unconfined_t:unix_stream_socket { read write }; #============= semanage_t ============== allow semanage_t unconfined_t:unix_stream_socket { read write }; #============= setfiles_t ============== allow setfiles_t unconfined_t:unix_stream_socket { read write }; The problem is a leaked file descriptor is being handed to all these apps and SELinux is just telling you about them. The bug is in the console not in SELinux.
Created attachment 322762 [details] AVC generated from execute semodule -i postgresqllocal.pp only one AVC generated this time
no, I'm executing audit2allow -M postgresqllocal < postgresqllocal is wrong?? yeah I'm in kconsole, logged s normal user and executed a su - please let me list the steps to reproduce the problem: [root@lexington ~]# service postgresql stop Stopping postgresql service: [ OK ] [root@lexington ~]# semodule -r postgresqllocal [root@lexington ~]# echo 0 > /selinux/enforce [root@lexington ~]# semodule -r semodulelocal [root@lexington ~]# echo 1 > /selinux/enforce [root@lexington ~]# service postgresql start at this point two AVCs are generated and two postgresql processes are unable to start so I copy each one from settroubleshoot browser into a diferent kconsole session as a normal user: [account@lexington ~]$ vim postgresqllocal [account@lexington ~]$ audit2allow -M postgresqllocal < postgresqllocal as root: [root@lexington ~]# service postgresql stop [root@lexington ~]# semodule -i /home/gabriel/selinux/postgresqllocal.pp only one AVC is generated by the above semodule. I attached (id=322762) that AVC beforecommiting this entry, the other two in the first attachment weren't generated this time. [root@lexington ~]# service postgresql start postgresql at this time start and runs fine, so the AVC generated by semodule is cosmetic? if the bug is in kconsole feel free to close or reassign the bug thanks by your time
Yes the leaked file descriptor one is cosmetic. I have added the other one to selinux-policy-3.5.13-18.fc10. konsole is leaking a file descriptor so I am reassigning to kdebase.
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle. Changing version to '10'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
*** This bug has been marked as a duplicate of bug 477508 ***