Bug 1122122

Summary: installing package via organization default activation key when registering in firstboot causes SELinux AVC
Product: Red Hat Enterprise Linux 5 Reporter: Jan Hutař <jhutar>
Component: rhn-client-toolsAssignee: Tomáš Kašpárek <tkasparek>
Status: CLOSED WONTFIX QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.10   
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-18 22:01:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Hutař 2014-07-22 15:05:07 UTC 
Description of problem:
Installing package via organization default activation key when registering in firstboot causes SELinux AVC


Version-Release number of selected component (if applicable):
rhn-client-tools-0.4.20.1-9.el5
selinux-policy-targeted-2.4.6-351.el5
firstboot-tui-1.4.27.9-1.el5


How reproducible:
always


Steps to Reproduce:
1. Create organization default activation key which installs ksh package
2. # rpm -e zsh
3. # rm -f /etc/sysconfig/firstboot
4. # firstboot
5. In firstboot TUI select "RHN Register" and register yourself so
   the activation key is used
6. # rpm -e zsh


Actual results:
First, during firstboot run, these AVCs gets logged:

type=USER_AUTH msg=audit(1406040482.481:198): user pid=28504 uid=0 auid=0 subj=root:system_r:firstboot_t:s0-s0:c0.c1023 msg='PAM: authentication acct="root" : exe="/usr/sbin/userhelper" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=USER_ACCT msg=audit(1406040482.481:199): user pid=28504 uid=0 auid=0 subj=root:system_r:firstboot_t:s0-s0:c0.c1023 msg='PAM: accounting acct="root" : exe="/usr/sbin/userhelper" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=USER_START msg=audit(1406040482.482:200): user pid=28504 uid=0 auid=0 subj=root:system_r:firstboot_t:s0-s0:c0.c1023 msg='PAM: session open acct="root" : exe="/usr/sbin/userhelper" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=USER_END msg=audit(1406040489.886:201): user pid=28504 uid=0 auid=0 subj=root:system_r:firstboot_t:s0-s0:c0.c1023 msg='PAM: session close acct="root" : exe="/usr/sbin/userhelper" (hostname=?, addr=?, terminal=? res=success)'
type=USER_AUTH msg=audit(1406040685.534:202): user pid=28524 uid=0 auid=0 subj=root:system_r:firstboot_t:s0-s0:c0.c1023 msg='PAM: authentication acct="root" : exe="/usr/sbin/userhelper" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=USER_ACCT msg=audit(1406040685.534:203): user pid=28524 uid=0 auid=0 subj=root:system_r:firstboot_t:s0-s0:c0.c1023 msg='PAM: accounting acct="root" : exe="/usr/sbin/userhelper" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=USER_START msg=audit(1406040685.534:204): user pid=28524 uid=0 auid=0 subj=root:system_r:firstboot_t:s0-s0:c0.c1023 msg='PAM: session open acct="root" : exe="/usr/sbin/userhelper" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=USER_AVC msg=audit(1406040710.337:205): user pid=2770 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for msgtype=method_call interface=com.redhat.SubscriptionManager.EntitlementStatus member=check_status dest=com.redhat.SubscriptionManager spid=28525 tpid=28552 scontext=root:system_r:firstboot_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
type=AVC msg=audit(1406040733.790:206): avc:  denied  { transition } for  pid=28556 comm="rhn_check" path="/bin/bash" dev=dm-0 ino=261970 scontext=root:system_r:firstboot_t:s0-s0:c0.c1023 tcontext=root:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1406040733.790:206): arch=c000003e syscall=59 success=no exit=-13 a0=4c79c63 a1=7fffc5def730 a2=87074c0 a3=70723a725f6d6574 items=0 ppid=28553 pid=28556 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=21 comm="rhn_check" exe="/usr/bin/python" subj=root:system_r:firstboot_t:s0-s0:c0.c1023 key=(null)
type=USER_END msg=audit(1406040858.706:207): user pid=28524 uid=0 auid=0 subj=root:system_r:firstboot_t:s0-s0:c0.c1023 msg='PAM: session close acct="root" : exe="/usr/sbin/userhelper" (hostname=?, addr=?, terminal=? res=success)'

In /var/log/up2date there is:

[Tue Jul 22 10:52:36 2014] rhn_register error: %post(zsh-4.2.6-9.el5.x86_64) scriptlet failed, exit status 255

When you try to remove the zsh package, you get error about missing file which is supposed to be installed in zsh package postinstall section:

# rpm -e zsh
install-info: warning: no entries found for `/usr/share/info/zsh.info.gz'; nothing deleted


Expected results:
Should work same way as when zsh is installed viz `yum install zsh`:

# yum -y install zsh
[...]
Complete!
# rpm -e zsh
<no output>
Comment 1 Jan Hutař 2014-07-22 21:18:52 UTC 
This is not a regression against RHEL 5.10

rhn-client-tools-0.4.20.1-6.el5
selinux-policy-targeted-2.4.6-346.el5
firstboot-tui-1.4.27.9-1.el5
Comment 2 RHEL Program Management 2014-07-25 21:23:53 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 3 Chris Williams 2017-04-18 22:01:29 UTC 
Red Hat Enterprise Linux 5 shipped it's last minor release, 5.11, on September 14th, 2014. On March 31st, 2017 RHEL 5 exited Production Phase 3 and entered Extended Life Phase. For RHEL releases in the Extended Life Phase, Red Hat  will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.  If the customer purchases the Extended Life-cycle Support (ELS), certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release will be provided.  For more details please consult the Red Hat Enterprise Linux Life Cycle Page:
https://access.redhat.com/support/policy/updates/errata

This BZ does not appear to meet ELS criteria so is being closed WONTFIX. If this BZ is critical for your environment and you have an Extended Life-cycle Support Add-on entitlement, please open a case in the Red Hat Customer Portal, https://access.redhat.com ,provide a thorough business justification and ask that the BZ be re-opened for consideration of an errata. Please note, only certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release can be considered.