RPM

SELinux is preventing restorecon (restorecon_t) "read write" to socket (rpm_t).

Bug #651516 reported by Jeff Johnson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
RPM
New
Undecided
Unassigned
Fedora
Invalid
Medium

Bug Description

tracker

Revision history for this message
In , James (james-redhat-bugs) wrote :
Download full text (4.1 KiB)

Summary:

SELinux is preventing restorecon (restorecon_t) "read write" to socket (rpm_t).

Detailed Description:

SELinux denied access requested by restorecon. It is not expected that this
access is required by restorecon and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context root:system_r:restorecon_t:SystemLow-SystemHigh
Target Context root:system_r:rpm_t:SystemLow-SystemHigh
Target Objects socket [ tcp_socket ]
Source restorecon
Source Path /sbin/restorecon
Port <Unknown>
Host x
Source RPM Packages policycoreutils-1.33.12-14.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name x
Platform Linux x
                              2.6.18-92.el5xen #1 SMP Tue Jun 10 19:20:18 EDT
                              2008 x86_64 x86_64
Alert Count 7
First Seen Sat 04 Oct 2008 07:38:52 PM EDT
Last Seen Sat 04 Oct 2008 08:00:41 PM EDT
Local ID 23b41dee-b644-45be-8ceb-dab3fd0d8c37
Line Numbers

Raw Audit Messages

host=x type=AVC msg=audit(1223164841.253:104): avc: denied { read write } for pid=12341 comm="restorecon" path="socket:[79114]" dev=sockfs ino=79114 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:system_r:rpm_t:s0-s0:c0.c1023 tclass=tcp_socket

host=x type=AVC msg=audit(1223164841.253:104): avc: denied { read write } for pid=12341 comm="restorecon" path="socket:[79127]" dev=sockfs ino=79127 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:system_r:rpm_t:s0-s0:c0.c1023 tclass=tcp_socket

host=x type=AVC msg=audit(1223164841.253:104): avc: denied { read write } for pid=12341 comm="restorecon" path="socket:[79134]" dev=sockfs ino=79134 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:system_r:rpm_t:s0-s0:c0.c1023 tclass=tcp_socket

host=x type=AVC msg=audit(1223164841.253:104): avc: denied { read write } for pid=12341 comm="restorecon" path="socket:[79142]" dev=sockfs ino=79142 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:system_r:rpm_t:s0-s0:c0.c1023 tclass=tcp_socket

host=x type=AVC msg=audit(1223164841.253:104): avc: denied { write } for pid=12341 comm="restorecon" path="/var/lib/yum/transaction-done.2008-10-04.19:38.55" dev=dm-0 ino=119298...

Read more...

Revision history for this message
In , Florian (florian-redhat-bugs) wrote :

I fail to see why this is an rpm problem. Next try: selinux-policy.

Revision history for this message
In , Daniel (daniel-redhat-bugs) wrote :

Well it is actually a leaked file descriptor in either yum or rpm. restorecon does not look at /var/lib/rpm/__db.000 or the tcp_socket.

All file descriptors in yum/rpm should be closed on exec, to prevent leaks of file descriptors.

Since one of the links is

/var/lib/yum/transaction-done.2008-10-04.19:38.55

I will blame it on yum for now.

fcntl(fd, F_SETFD, FD_CLOEXEC) or similar for python.

Revision history for this message
In , seth (seth-redhat-bugs) wrote :

Are you saying all the filedescriptors should be closed when the selinux scriptlet is exec'd or am I misreading you here.

Revision history for this message
In , Florian (florian-redhat-bugs) wrote :

Sorry for the confusion. It is rpm's responsibility to set fcntl(fd, F_SETFD, FD_CLOEXEC) for all file descriptors before calling the scriptlets. This is done but not at the right place.

*** This bug has been marked as a duplicate of bug 222822 ***

Jeff Johnson (n3npq)
tags: added: rhel scriptlet selinux
Changed in fedora:
importance: Unknown → Medium
status: Unknown → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.