Updating selinux-policy-targeted Causes SELinux Denials

Tue Nov 6 16:19:11 UTC 2007

Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Richi Plana wrote:
>> Hi,
>>
>> Should I be concerned that every time an update to
>> selinux-policy-targeted occurs, it causes actions that the current
>> running SELinux seems to prevent? I'm talking about SELinux
>> preventing /usr/sbin/semodule (semanage_t) and /sbin/restorecon
>> (restorecon_t) "write"ing to a pipe with label "rpm_t".
>>
>> Are these actions legal? And does SELinux preventing them cause an error
>> in the actual install? Or should these just be treated as warnings?
>>
>> I'm guessing that the selinux applications are just trying to
>> communicate back to the RPM process. I'm wondering if there's anything
>> important in that communication that should be allowed, or if not, there
>> must be some way to clean this up.
>>
>> (If this isn't the right place to ask, could someone redirect me to the
>> correct one?)
>> --
>>
>> Richi Plana
>>
> No,  I am hoping to eliminate a lot of these in the future.  What these
> avc's are referring to is the redirection of stdout/stderr.  When rpm is
> running an update it redirects the terminal output to its fifo_files. So
> any confined domain that runs as part of a post install script will
> check whether it has access to stdin, stdout, stderr on the terminal or
> whatever is acting as the terminal.  Since these confined domains do not
> have policy allowing them to talk to pipes owned by rpm, the kernel
> generates avc messages and closes the file descriptors and replaces them
> with open file descriptors to /dev/null.  The apps will continue running
> and complete successfully, but ugly avc messages are generated.  In
> Updates to policy I am going to globally start dontauditing these access.
> 
> 
> # Allow all domains to use fds past to them
> allow domain domain:fd use;
> optional_policy(`
> 	rpm_dontaudit_rw_pipes(domain)
> ')
> 
> Should be in Fedora 8 and beyond as well as in the next update to Fedora 7.
> 
> Redirection of Stdout/Stderr account for the largest percentage of
> SELinux AVC's and most are just noice.

The net effect of this is to throw away any scriptlet output (e.g. error 
messages), isn't it? Whilst people running a GUI update tool won't see 
these anyway, us luddites that still use yum from the command line so as 
to see if there are any problems during an update won't be able to see 
this output.

Yes, I know that this doesn't represent a change from current policy; I 
usually add local policy to allow this output when I see the avcs, but 
if they're dontaudited then I won't see any hint of there being a problem.

Paul.