Podsumowanie: SELinux is preventing /usr/bin/python "connectto" access on /var/run/avahi-daemon/socket. This is caused by having proxy=http://something.local in /etc/yum.conf. Abrt runs yum-downloader, which in turn need to resolve *.local domain, and nss-mdns asks avahi for it. Szczegółowy opis: [SELinux jest w trybie zezwalania. Ten dostęp nie został odmówiony.] SELinux denied access requested by yum. It is not expected that this access is required by yum and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Dodatkowe informacje: Kontekst źródłowy system_u:system_r:abrt_t:s0-s0:c0.c1023 Kontekst docelowy system_u:system_r:avahi_t:s0 Obiekty docelowe /var/run/avahi-daemon/socket [ unix_stream_socket ] Źródło yum Ścieżka źródłowa /usr/bin/python Port <Nieznane> Komputer (usunięto) Źródłowe pakiety RPM python-2.6.5-17.fc14 Docelowe pakiety RPM Pakiet RPM polityki selinux-policy-3.8.5-1.fc14 SELinux jest włączony True Typ polityki targeted Tryb wymuszania Permissive Nazwa wtyczki catchall Nazwa komputera (usunięto) Platforma Linux (usunięto) 2.6.35-0.2.rc3.git0.fc14.x86_64 #1 SMP Tue Jun 22 23:41:48 UTC 2010 x86_64 x86_64 Liczba alarmów 1 Po raz pierwszy pią, 25 cze 2010, 14:32:39 Po raz ostatni pią, 25 cze 2010, 14:32:39 Lokalny identyfikator f9320e59-a1f5-4d30-8f27-712750837504 Liczba wierszy Surowe komunikaty audytu node=(usunięto) type=AVC msg=audit(1277469159.289:53415): avc: denied { connectto } for pid=16217 comm="yum" path="/var/run/avahi-daemon/socket" scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:system_r:avahi_t:s0 tclass=unix_stream_socket node=(usunięto) type=SYSCALL msg=audit(1277469159.289:53415): arch=c000003e syscall=42 success=yes exit=4294967424 a0=9 a1=7f18d86fe1c0 a2=6e a3=7f18d86fdf40 items=0 ppid=16215 pid=16217 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,yum,abrt_t,avahi_t,unix_stream_socket,connectto audit2allow suggests: #============= abrt_t ============== allow abrt_t avahi_t:unix_stream_socket connectto;
James, Any idea why yum would be connecting to the avahi socket?
Miroslav, Add sysnet_dns_name_resolve(abrt_t)
Fixed in selinux-policy-3.8.6-1.fc14
Not sure if you worked it out, but from the first comment: "which in turn need to resolve *.local domain, and nss-mdns asks avahi for it." ...we might get downloads/DNS happening in a separate process at some point, but for now they are in yum.
Yes I stumbled upon the answer.