Bug 1464454

Summary: selinux denials when launching online documentation from subscription-manager-gui
Product: Red Hat Enterprise Linux 7 Reporter: Rehana <redakkan>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: low    
Version: 7.4CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, redakkan, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-18 12:15:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rehana 2017-06-23 13:03:21 UTC 
Description of problem:
selinux denials when launching online documentation from subscription-manager-gui

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-164.el7.noarch
selinux-policy-targeted-3.13.1-164.el7.noarch
python-rhsm-1.19.9-1.el7.x86_64
python-rhsm-certificates-1.19.9-1.el7.x86_64
subscription-manager-gui-1.19.20-1.el7.x86_64
subscription-manager-1.19.20-1.el7.x86_64
subscription-manager-initial-setup-addon-1.19.20-1.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1.Install RHEL with GUI
2.Launch subscription-manager-gui
3.go to Help --> Online documentation 

Actual results:
Observed selinux denials on the system, though the firefox browser came up after some time

Expected results:
No denials 

Additional info:

root@dhcp35-134 ~]# START_DATE_TIME=`date "+%m/%d/%Y %T"`
[root@dhcp35-134 ~]#  ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
<no matches>
[root@dhcp35-134 ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[root@dhcp35-134 ~]#  ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
----
type=PROCTITLE msg=audit(06/23/2017 17:08:18.628:200) : proctitle=gdm-session-worker [pam/gdm-password] 
type=SYSCALL msg=audit(06/23/2017 17:08:18.628:200) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x55a1e84d7360 a1=0700 a2=0x55a1e84d7370 a3=0x0 items=0 ppid=1823 pid=1853 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/23/2017 17:08:18.628:200) : avc:  denied  { create } for  pid=1853 comm=gdm-session-wor name=gdm scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
Comment 2 Milos Malik 2017-06-26 07:09:07 UTC 
Did you log in via GDM as root?
Comment 3 Rehana 2017-06-27 06:47:09 UTC 
(In reply to Milos Malik from comment #2)
> Did you log in via GDM as root?

yes , i logged in via GUI to the system.
Comment 4 Rehana 2017-07-05 10:36:15 UTC 
On RHEL7.4 RC1.0 compose ( server variant) seeing a different denial message when launched online documentation from subscription-manager gui (gnome session) , the web page was launched after some time; Sharing the information for reference

----
type=PROCTITLE msg=audit(07/05/2017 06:34:07.810:245) : proctitle=/usr/lib64/firefox/plugin-container -greomni /usr/lib64/firefox/omni.ja -appomni /usr/lib64/firefox/browser/omni.ja -appdir /usr 
type=SYSCALL msg=audit(07/05/2017 06:34:07.810:245) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f8c3d69fc00 a1=O_RDONLY a2=0x1b6 a3=0x7f8c3d6cc400 items=0 ppid=3506 pid=3580 auid=tester uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=Web Content exe=/usr/lib64/firefox/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(07/05/2017 06:34:07.810:245) : avc:  denied  { read } for  pid=3580 comm=Web Content name=user-dirs.dirs dev="dm-0" ino=5450089 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
Comment 5 Lukas Vrabec 2017-07-18 12:15:43 UTC 
Rehana, 

We do *NOT* support this. From security reasons please use regular user to login via GUI. 

Closing as NOTABUG.

Thanks,
Lukas