Bug 632573 - AVC on yum install, change policy to dontaudit
AVC on yum install, change policy to dontaudit
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.5
All Linux
low Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-09-10 09:17 EDT by Trevor McKay
Modified: 2014-10-24 04:25 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-21 05:21:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
This is the yum repository configuration file in use when the AVC appeared. (206 bytes, application/octet-stream)
2010-09-10 09:17 EDT, Trevor McKay
no flags Details
This is the ouput from the altert. (2.78 KB, text/plain)
2010-09-10 09:18 EDT, Trevor McKay
no flags Details

  None (edit)
Description Trevor McKay 2010-09-10 09:17:16 EDT
Created attachment 446509 [details]
This is the yum repository configuration file in use when the AVC appeared.

Description of problem:

Received the attached AVC after install of a package.  Consulted dwalsh on #selinux IRC channel who determined this was from a leaked file descriptor suggested filing a BZ calling for an selinux policy change.

Version-Release number of selected component (if applicable):

This was RHEL5.5 Server installed from internal Red Hat ISO.

How reproducible:

uncertain.  Happened twice in the same day, not happening next day.

Steps to Reproduce:
1.  Install the condor-qmf package.  (As of 9/10/2010, this was not yet released and was not available from the main RHN channel. I used the mrg-devel repository for yum to install this.  The repository configuration file is attached)

2.
3.
  
Actual results:

The AVC alert shows up.

Expected results:

There should be no alert.

Additional info:

Snippet from #selinux IRC conversation:
(05:16:22 PM) dwalsh: tmckay: Leaked file descriptor
(05:16:29 PM) dwalsh: Nothing to worry about.
(05:16:38 PM) tmckay: dwalsh, thanks.
(05:16:50 PM) dwalsh: This is setfiles running in a post install script with its stdout set to the fifo_file owned by rpm.
(05:16:55 PM) dwalsh: Everything worked fine.
(05:17:35 PM) mcepl left the room (quit: Ping timeout: 240 seconds).
(05:18:35 PM) mattf: dwalsh, anything we can do to avoid throwing the avc? if it's all ok should the default policy be changed?
(05:18:52 PM) dwalsh: yes
(05:19:00 PM) dwalsh: It should be dontaudited.
(05:19:14 PM) dwalsh: Open a bugzilla
(05:20:10 PM) mattf: component?
(05:20:13 PM) dwalsh: In Current policy it is allowed 
(05:20:15 PM) dwalsh: audit2allow -i /tmp/t
(05:20:16 PM) dwalsh: #============= setfiles_t ==============
(05:20:16 PM) dwalsh: #!!!! This avc is allowed in the current policy
(05:20:16 PM) dwalsh: allow setfiles_t rpm_script_t:fifo_file write;
(05:20:20 PM) dwalsh: selinux-policy
Comment 1 Trevor McKay 2010-09-10 09:18:13 EDT
Created attachment 446511 [details]
This is the ouput from the altert.
Comment 2 Daniel Walsh 2010-09-10 10:46:45 EDT
Miroslav can you grab the rpm_dontaudit_leaks code from RHEL6 and backport it to RHEL5.

	rpm_dontaudit_leaks(domain)
Comment 3 Miroslav Grepl 2010-09-24 06:32:34 EDT
Fixed in selinux-policy-2.4.6-285.el5.noarch
Comment 4 RHEL Product and Program Management 2011-01-11 14:55:01 EST
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 5 RHEL Product and Program Management 2011-01-12 10:08:42 EST
This request was erroneously denied for the current release of
Red Hat Enterprise Linux.  The error has been fixed and this
request has been re-proposed for the current release.
Comment 9 errata-xmlrpc 2011-07-21 05:21:15 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html
Comment 10 errata-xmlrpc 2011-07-21 07:49:48 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1069.html

Note You need to log in before you can comment on or make changes to this bug.