Bug 470170 - using semodule -i postgresqllocal.pp genrates AVC
using semodule -i postgresqllocal.pp genrates AVC
Status: CLOSED DUPLICATE of bug 477508
Product: Fedora
Classification: Fedora
Component: kdebase (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Ngo Than
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-11-05 23:31 EST by Gabriel Ramirez
Modified: 2009-01-09 16:09 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-09 16:09:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
AVCs generated from execute semodule -i postgresqllocal.pp (8.29 KB, application/octet-stream)
2008-11-05 23:31 EST, Gabriel Ramirez
no flags Details
AVC generated from execute semodule -i postgresqllocal.pp only one AVC generated this time (2.76 KB, application/octet-stream)
2008-11-06 12:33 EST, Gabriel Ramirez
no flags Details

  None (edit)
Description Gabriel Ramirez 2008-11-05 23:31:20 EST
Created attachment 322664 [details]
AVCs generated from execute semodule -i postgresqllocal.pp

Description of problem:
I compiled a postgresqllocal.pp module because a few missing selinux rules in postgresql and when I try to execute:
- semodule -i postgresqllocal.pp as root 
- selinux policy generate the AVC attached 

so I did the following to solve the problem
-generate a semodulelocal.pp from the AVC attached, 
- disabled enforcing mode
- inserted the semodulelocal.pp
- enabled enforcing mode
- inserted postgresqllocal.pp

Version-Release number of selected component (if applicable):

additional selinux rpms installed


How reproducible:
Actual results:
AVC generated and denied normal operation of postgresql 

Expected results:
inserted posgresqllocal.pp and not AVC

Additional info:
Comment 1 Daniel Walsh 2008-11-06 08:39:18 EST
The terminal or program you are using to run semodule is leaking a file descriptor.

Are you doing this from kconsole?

 audit2allow -i semodulelocal 

#============= load_policy_t ==============
allow load_policy_t unconfined_t:unix_stream_socket { read write };

#============= semanage_t ==============
allow semanage_t unconfined_t:unix_stream_socket { read write };

#============= setfiles_t ==============
allow setfiles_t unconfined_t:unix_stream_socket { read write };

The problem is a leaked file descriptor is being handed to all these apps and SELinux is just telling you about them.

The bug is in the console not in SELinux.
Comment 2 Gabriel Ramirez 2008-11-06 12:33:08 EST
Created attachment 322762 [details]
AVC generated from execute semodule -i postgresqllocal.pp only one AVC generated this time
Comment 3 Gabriel Ramirez 2008-11-06 12:36:23 EST
no, I'm executing audit2allow -M postgresqllocal < postgresqllocal is wrong??

yeah I'm in kconsole, logged s normal user and executed a su -

please let me list the steps to reproduce the problem:

[root@lexington ~]# service postgresql stop
Stopping postgresql service:                               [  OK  ]
[root@lexington ~]# semodule -r postgresqllocal
[root@lexington ~]# echo 0 > /selinux/enforce
[root@lexington ~]# semodule -r semodulelocal
[root@lexington ~]# echo 1 > /selinux/enforce
[root@lexington ~]# service postgresql start

at this point two AVCs are generated and two postgresql processes are unable to
start so I copy each one from settroubleshoot browser into a diferent kconsole
session as a normal user:

[account@lexington ~]$ vim postgresqllocal
[account@lexington ~]$ audit2allow -M postgresqllocal < postgresqllocal

as root:

[root@lexington ~]# service postgresql stop
[root@lexington ~]# semodule -i /home/gabriel/selinux/postgresqllocal.pp

only one AVC is generated  by the above semodule. I attached (id=322762) that AVC beforecommiting this entry, the other two in the first attachment weren't generated this time.

[root@lexington ~]# service postgresql start

postgresql at this time start and runs fine, so the AVC generated by semodule
is cosmetic? if the bug is in kconsole feel free to close or reassign the bug

thanks by your time
Comment 4 Daniel Walsh 2008-11-06 12:42:19 EST
Yes the leaked file descriptor one is cosmetic.  I have added the other one to selinux-policy-3.5.13-18.fc10.

konsole is leaking a file descriptor so I am reassigning to kdebase.
Comment 5 Bug Zapper 2008-11-25 23:51:12 EST
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
Comment 6 Steven M. Parrish 2009-01-09 16:09:45 EST

*** This bug has been marked as a duplicate of bug 477508 ***

Note You need to log in before you can comment on or make changes to this bug.