Bug 1466430

Summary: Allow rhnsd daemon to send signal to rhn_check
Product: Red Hat Enterprise Linux 7 Reporter: Lukáš Hellebrandt <lhellebr>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: jdostal, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, tlestach
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-07 12:04:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukáš Hellebrandt 2017-06-29 14:55:36 UTC 
Description of problem:
When rhnsd is run as daemon (service rhnsd start), it can not send signal to rhn_check, which we need to do in bug 1409562. The AVC denial message is:

type=AVC msg=audit(1498655994.166:122): avc:  denied  { signal } for  pid=2993 comm="rhnsd" scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=process

Steps to Reproduce:
1. Have a Client (with setenforce 1) registered to some Satellite 5, with provisioning and packages necessary for remote command execution installed
2. Schedule a remote command with long sleep to the Client
3. Wait for rhnsd to run rhn_check
4. After the command is in picked-up state, kill rhnsd with SIGTERM
5. This should cause rhnsd to send SIGTERM to the running rhn_check
6. Mentioned AVC denial occurs, rhn_check doesn't receive the signal and rhnsd waits indefinitely for rhn_check's termination

This also happens in 7.3 with package versions in which the mentioned BZ is fixed.
Comment 2 Milos Malik 2017-06-29 16:30:22 UTC 
The SELinux denial mentioned in comment#0 was caught in enforcing mode, right? Could re-run your scenario in permissive mode and collect SELinux denials? The permissive mode may reveal other SELinux denials.

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Thank you