Bug 1144165

Summary: SELinux: rhsmcertd-worke unable to write to /var/lib/rpm
Product: Red Hat Enterprise Linux 7 Reporter: Richard Su <rwsu>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: ccheney, mgrepl, mmalik, rwsu, ssekidde
Target Milestone: rc   
Target Release: 7.1   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-9.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:41:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit.log none

Description Richard Su 2014-09-18 20:00:44 UTC 
Created attachment 939029 [details]
audit.log

Description of problem:
rhsmcertd-worke is uanble to write to /var/lib/rpm. This happens after the an instack RHEL7 image is booted up the first time.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.12.1-153.el7_0.10.noarch
selinux-policy-3.12.1-153.el7_0.10.noarch
subscription-manager-1.10.14-9.el7_0.x86_64
rhnsd-5.0.13-3.el7.x86_64
rhnlib-2.5.65-2.el7.noarch
rhn-client-tools-2.0.2-5.el7.noarch
rhn-check-2.0.2-5.el7.noarch
rhn-setup-2.0.2-5.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. Create and boot an instack-undercloud RHEL7 image using https://github.com/agroup/instack-undercloud/blob/master/README-source.md

Actual results:
rhsmcertd-worke denials found in audit.log

Expected results:
No denials.

Additional info:

type=AVC msg=audit(1410984925.093:83): avc:  denied  { write } for  pid=887 comm="rhsmcertd-worke" name="rpm" dev="sda1" ino=1441954 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1410984925.093:83): avc:  denied  { add_name } for  pid=887 comm="rhsmcertd-worke" name="__db.001" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1410984925.093:83): avc:  denied  { create } for  pid=887 comm="rhsmcertd-worke" name="__db.001" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
type=AVC msg=audit(1410999261.157:138): avc:  denied  { write } for  pid=932 comm="rhsmcertd-worke" name="rpm" dev="sda1" ino=1441954 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1410999261.157:138): avc:  denied  { add_name } for  pid=932 comm="rhsmcertd-worke" name="__db.001" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1410999261.157:138): avc:  denied  { create } for  pid=932 comm="rhsmcertd-worke" name="__db.001" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
type=AVC msg=audit(1411065591.296:91): avc:  denied  { write } for  pid=906 comm="rhsmcertd-worke" name="rpm" dev="sda1" ino=1441954 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1411065591.296:91): avc:  denied  { add_name } for  pid=906 comm="rhsmcertd-worke" name="__db.001" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=dir
type=AVC msg=audit(1411065591.296:91): avc:  denied  { create } for  pid=906 comm="rhsmcertd-worke" name="__db.001" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
type=AVC msg=audit(1411066510.056:162): avc:  denied  { dac_override } for  pid=1190 comm="rhsmcertd-worke" capability=1  scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:rhsmcertd_t:s0 tclass=capability
type=AVC msg=audit(1411066510.056:162): avc:  denied  { getattr } for  pid=1190 comm="rhsmcertd-worke" path="/home/stack/instack" dev="sda1" ino=918739 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
[root@localhost audit]# find / -inum 1441954
/var/lib/rpm
[root@localhost audit]# ls -Z /var/lib/rpm
-rw-r--r--. root root unconfined_u:object_r:rpm_var_lib_t:s0 Basenames
-rw-r--r--. root root unconfined_u:object_r:rpm_var_lib_t:s0 Conflictname
-rw-r--r--. root root unconfined_u:object_r:rpm_var_lib_t:s0 __db.001
-rw-r--r--. root root unconfined_u:object_r:rpm_var_lib_t:s0 __db.002
-rw-r--r--. root root unconfined_u:object_r:rpm_var_lib_t:s0 __db.003
-rw-r--r--. root root unconfined_u:object_r:rpm_var_lib_t:s0 Dirnames
-rw-r--r--. root root unconfined_u:object_r:rpm_var_lib_t:s0 Group
-rw-r--r--. root root unconfined_u:object_r:rpm_var_lib_t:s0 Installtid
-rw-r--r--. root root unconfined_u:object_r:rpm_var_lib_t:s0 Name
-rw-r--r--. root root unconfined_u:object_r:rpm_var_lib_t:s0 Obsoletename
-rw-r--r--. root root unconfined_u:object_r:rpm_var_lib_t:s0 Packages
-rw-r--r--. root root unconfined_u:object_r:rpm_var_lib_t:s0 Providename
-rw-r--r--. root root unconfined_u:object_r:rpm_var_lib_t:s0 Requirename
-rw-r--r--. root root unconfined_u:object_r:rpm_var_lib_t:s0 Sha1header
-rw-r--r--. root root unconfined_u:object_r:rpm_var_lib_t:s0 Sigmd5
-rw-r--r--. root root unconfined_u:object_r:rpm_var_lib_t:s0 Triggername
[root@localhost audit]# ls -Z /var/lib/ | grep rpm
drwxr-xr-x. root      root     unconfined_u:object_r:rpm_var_lib_t:s0 alternatives
drwxr-xr-x. root      root     unconfined_u:object_r:rpm_var_lib_t:s0 rpm
drwxr-xr-x. root      root     system_u:object_r:var_lib_t:s0   rpm-state
drwxr-xr-x. root      root     unconfined_u:object_r:rpm_var_lib_t:s0 yum
Comment 2 Miroslav Grepl 2014-10-02 11:23:12 UTC 
Did it work?
Comment 3 Richard Su 2014-10-07 05:51:02 UTC 
I'm sorry, did what work?
Comment 6 Miroslav Grepl 2014-10-13 09:47:51 UTC 
Your test scenario. Did it work in enforcing mode even AVC msgs.
Comment 8 Richard Su 2014-11-11 05:24:27 UTC 
Will get back to you shortly. I'm in the middle of getting our tests to pass on RHEL.
Comment 9 Richard Su 2014-11-12 00:08:25 UTC 
I finished my tests and having the denials didn't affect undercloud or overcloud deployment and tests.
Comment 10 Miroslav Grepl 2014-11-18 13:32:59 UTC 
#============= rhsmcertd_t ==============

#!!!! This avc is allowed in the current policy
allow rhsmcertd_t rpm_var_lib_t:dir add_name;

#!!!! This avc is allowed in the current policy
allow rhsmcertd_t rpm_var_lib_t:file create;

#!!!! This avc is allowed in the current policy
allow rhsmcertd_t setroubleshootd_t:process signull;
Comment 14 errata-xmlrpc 2015-03-05 10:41:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html