Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 236448 - Multiple denies during software upgrade
Summary: Multiple denies during software upgrade
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pirut
Version: 6
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jeremy Katz
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-04-14 11:15 UTC by Michael De La Rue
Modified: 2007-11-30 22:12 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-05-29 18:17:16 UTC


Attachments (Terms of Use)
audit denies during today (deleted)
2007-04-14 11:15 UTC, Michael De La Rue
no flags Details
exerpt of /var/log/messages (slightly filtered) (deleted)
2007-04-14 11:16 UTC, Michael De La Rue
no flags Details
update history for packages updated during problem. (deleted)
2007-04-14 11:17 UTC, Michael De La Rue
no flags Details

Description Michael De La Rue 2007-04-14 11:15:14 UTC
Description of problem:
During a software upgrade driven by pup, I had multiple AVC denies.  These
included denies on running restorecon, so I suspect that the system state became
incorrect.  

The following packages caused alerts
shadow-utils-4.0.17-12.fc6 
module-init-tools-3.3-0.pre1.4.17
policycoreutils-1.34.1-4.fc6 (due to update of selinux-policy-targeted.noarch?)
iputils-20020927-41.fc

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-54.fc6

How reproducible:
Happened once so far.  Reproduction not attempted since it would be a big job.

Steps to Reproduce:
1. pup says there are software updates, say yes
2.
3.
  
Actual results:
during software updates there are four AVC denies.

Expected results:
software installs silently and correctly



Additional info:

Comment 1 Michael De La Rue 2007-04-14 11:15:15 UTC
Created attachment 152607 [details]
audit denies during today

Comment 2 Michael De La Rue 2007-04-14 11:16:24 UTC
Created attachment 152608 [details]
exerpt of /var/log/messages (slightly filtered)

Comment 3 Michael De La Rue 2007-04-14 11:17:18 UTC
Created attachment 152609 [details]
update history for packages updated during problem.

Comment 4 Daniel Walsh 2007-04-16 14:18:36 UTC
These are leaked file descriptors by pup/rpm, or what ever tool you were using
to update.  Luckily they do not effect the update.  Any app that execs other
apps should make sure that all file descriptors are closed before the exec. 
SELinux checks all open file descriptors for access before running a confined
app, which triggers these avc messages.  After the denial, the kernel closes the
file descriptors and continues the application.

Changing this bug to pirut

Comment 5 Jeremy Katz 2007-04-16 14:39:54 UTC
Do you just see this with pup or do you also see it with just using yum?  I
can't think of anything which would be pup specific here.

Comment 6 Michael De La Rue 2007-05-27 13:09:48 UTC
It was a one off thing and hasn't repeated.  I have run yum directly and have
never seen such a thing again.  


Note You need to log in before you can comment on or make changes to this bug.