Red Hat Bugzilla – Bug 632573
AVC on yum install, change policy to dontaudit
Last modified: 2014-10-24 04:25:47 EDT
Created attachment 446509 [details]
This is the yum repository configuration file in use when the AVC appeared.
Description of problem:
Received the attached AVC after install of a package. Consulted dwalsh on #selinux IRC channel who determined this was from a leaked file descriptor suggested filing a BZ calling for an selinux policy change.
Version-Release number of selected component (if applicable):
This was RHEL5.5 Server installed from internal Red Hat ISO.
uncertain. Happened twice in the same day, not happening next day.
Steps to Reproduce:
1. Install the condor-qmf package. (As of 9/10/2010, this was not yet released and was not available from the main RHN channel. I used the mrg-devel repository for yum to install this. The repository configuration file is attached)
The AVC alert shows up.
There should be no alert.
Snippet from #selinux IRC conversation:
(05:16:22 PM) dwalsh: tmckay: Leaked file descriptor
(05:16:29 PM) dwalsh: Nothing to worry about.
(05:16:38 PM) tmckay: dwalsh, thanks.
(05:16:50 PM) dwalsh: This is setfiles running in a post install script with its stdout set to the fifo_file owned by rpm.
(05:16:55 PM) dwalsh: Everything worked fine.
(05:17:35 PM) mcepl left the room (quit: Ping timeout: 240 seconds).
(05:18:35 PM) mattf: dwalsh, anything we can do to avoid throwing the avc? if it's all ok should the default policy be changed?
(05:18:52 PM) dwalsh: yes
(05:19:00 PM) dwalsh: It should be dontaudited.
(05:19:14 PM) dwalsh: Open a bugzilla
(05:20:10 PM) mattf: component?
(05:20:13 PM) dwalsh: In Current policy it is allowed
(05:20:15 PM) dwalsh: audit2allow -i /tmp/t
(05:20:16 PM) dwalsh: #============= setfiles_t ==============
(05:20:16 PM) dwalsh: #!!!! This avc is allowed in the current policy
(05:20:16 PM) dwalsh: allow setfiles_t rpm_script_t:fifo_file write;
(05:20:20 PM) dwalsh: selinux-policy
Created attachment 446511 [details]
This is the ouput from the altert.
Miroslav can you grab the rpm_dontaudit_leaks code from RHEL6 and backport it to RHEL5.
Fixed in selinux-policy-2.4.6-285.el5.noarch
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
This request was erroneously denied for the current release of
Red Hat Enterprise Linux. The error has been fixed and this
request has been re-proposed for the current release.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.