SELinux is preventing restorecon (restorecon_t) "read write" to socket (rpm_t).

Summary:

SELinux is preventing restorecon (restorecon_t) "read write" to socket (rpm_t).

Detailed Description:

SELinux denied access requested by restorecon. It is not expected that this
access is required by restorecon and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context root:system_r:restorecon_t:SystemLow-SystemHigh
Target Context root:system_r:rpm_t:SystemLow-SystemHigh
Target Objects socket [ tcp_socket ]
Source restorecon
Source Path /sbin/restorecon
Port <Unknown>
Host x
Source RPM Packages policycoreutils-1.33.12-14.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name x
Platform Linux x
                              2.6.18-92.el5xen #1 SMP Tue Jun 10 19:20:18 EDT
                              2008 x86_64 x86_64
Alert Count 7
First Seen Sat 04 Oct 2008 07:38:52 PM EDT
Last Seen Sat 04 Oct 2008 08:00:41 PM EDT
Local ID 23b41dee-b644-45be-8ceb-dab3fd0d8c37
Line Numbers

Raw Audit Messages

host=x type=AVC msg=audit(1223164841.253:104): avc: denied { read write } for pid=12341 comm="restorecon" path="socket:[79114]" dev=sockfs ino=79114 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:system_r:rpm_t:s0-s0:c0.c1023 tclass=tcp_socket

host=x type=AVC msg=audit(1223164841.253:104): avc: denied { read write } for pid=12341 comm="restorecon" path="socket:[79127]" dev=sockfs ino=79127 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:system_r:rpm_t:s0-s0:c0.c1023 tclass=tcp_socket

host=x type=AVC msg=audit(1223164841.253:104): avc: denied { read write } for pid=12341 comm="restorecon" path="socket:[79134]" dev=sockfs ino=79134 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:system_r:rpm_t:s0-s0:c0.c1023 tclass=tcp_socket

host=x type=AVC msg=audit(1223164841.253:104): avc: denied { read write } for pid=12341 comm="restorecon" path="socket:[79142]" dev=sockfs ino=79142 scontext=root:system_r:restorecon_t:s0-s0:c0.c1023 tcontext=root:system_r:rpm_t:s0-s0:c0.c1023 tclass=tcp_socket

host=x type=AVC msg=audit(1223164841.253:104): avc: denied { write } for pid=12341 comm="restorecon" path="/var/lib/yum/transaction-done.2008-10-04.19:38.55" dev=dm-0 ino=119298...

I fail to see why this is an rpm problem. Next try: selinux-policy.

Well it is actually a leaked file descriptor in either yum or rpm. restorecon does not look at /var/lib/rpm/__db.000 or the tcp_socket.

All file descriptors in yum/rpm should be closed on exec, to prevent leaks of file descriptors.

Since one of the links is

/var/lib/yum/transaction-done.2008-10-04.19:38.55

I will blame it on yum for now.

fcntl(fd, F_SETFD, FD_CLOEXEC) or similar for python.

Are you saying all the filedescriptors should be closed when the selinux scriptlet is exec'd or am I misreading you here.

Sorry for the confusion. It is rpm's responsibility to set fcntl(fd, F_SETFD, FD_CLOEXEC) for all file descriptors before calling the scriptlets. This is done but not at the right place.

*** This bug has been marked as a duplicate of bug 222822 ***