Bug 1490961
| Summary: | [AVC denied] /usr/libexec/rhsmcertd-worker (rhsmcertd_t) sends signull to snmpd_t | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Michal Dekan <mdekan> | ||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 7.4 | CC: | fadamo, jjansky, lvrabec, mgrepl, mmalik, plautrba, ssekidde | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.13.1-175.el7 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-04-10 12:42:01 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 1328304 [details]
Temporary workaround works in case 01925369
Created temporary workaround with audit2allow -M rhsmcertd.t -i sosreport/var/log/audit.log
It works for customer from case 01925369, however i am not specialist in SELinux, can someone check if this policy is correct and why the audit happened?
==> Status: ON_QA → VERIFIED Are the correct rpms available on RH repos? RPMs with the fix will be available in RH repositories as soon as RHEL-7.5 goes public. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763 |
Description of problem: > grep AVC var/log/audit/audit.log | grep rhsmcertd_t type=AVC msg=audit(1504534843.134:211675): avc: denied { signull } for pid=34390 comm="rhsmcertd-worke" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=process type=AVC msg=audit(1504549243.119:214055): avc: denied { signull } for pid=47588 comm="rhsmcertd-worke" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=process type=AVC msg=audit(1504563643.494:216440): avc: denied { signull } for pid=60721 comm="rhsmcertd-worke" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=process type=AVC msg=audit(1504578043.791:218815): avc: denied { signull } for pid=8813 comm="rhsmcertd-worke" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=process type=AVC msg=audit(1504592443.288:221212): avc: denied { signull } for pid=23019 comm="rhsmcertd-worke" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=process type=AVC msg=audit(1504606843.105:223597): avc: denied { signull } for pid=36091 comm="rhsmcertd-worke" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=process type=AVC msg=audit(1504621243.569:225957): avc: denied { signull } for pid=49303 comm="rhsmcertd-worke" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=process type=AVC msg=audit(1504635643.773:228343): avc: denied { signull } for pid=63246 comm="rhsmcertd-worke" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=process Version-Release number of selected component (if applicable): > cat etc/redhat-release Red Hat Enterprise Linux Server release 7.4 (Maipo) > grep selinux installed-rpms libselinux-2.5-11.el7.i686 Sat Aug 19 22:40:27 2017 libselinux-2.5-11.el7.x86_64 Sat Aug 19 22:36:22 2017 libselinux-python-2.5-11.el7.x86_64 Sat Aug 19 22:37:38 2017 libselinux-utils-2.5-11.el7.x86_64 Sat Aug 19 22:38:23 2017 selinux-policy-3.13.1-166.el7.noarch Sat Aug 19 22:41:45 2017 selinux-policy-targeted-3.13.1-166.el7.noarch Sat Aug 19 22:44:54 2017 How reproducible: Not sure. There is no rule, which would allow this: [root@vm-199 ~]# sesearch -A -s rhsmcertd_t -t snmpd_t -p signull [root@vm-199 ~]# Actual results: AVC denied messages in audit log. Expected results: No AVC denied messages. Additional info: Customer's sosreport is attached to the case.