Bug 1596499

Summary: /usr/sbin/rhn_check* should have same context as /usr/sbin/rhn_check
Product: [Fedora] Fedora Reporter: Tomáš Kašpárek <tkasparek>
Component: selinux-policy-targetedAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: dwalsh, matthewwilkinson
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1596505 1596506 1596508 1596509 1596510 (view as bug list) Environment:
Last Closed: 2018-09-12 02:55:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1596505, 1596506, 1596508, 1596509, 1596510    

Description Tomáš Kašpárek 2018-06-29 07:10:49 UTC 
Description of problem:
During python3 adaptation in Fedora we've split /usr/sbin/rhn_check binary into /usr/sbin/rhn_check-$SUFFIX, where $SUFFIX is Python version (e.g 2.6 for el6 or 3.6 for F28) and into /usr/sbin/rhn_check which is a symlink to to /usr/sbin/rhn_check-$SUFFIX.

E.g. what has previously been:
ls -lZ /usr/sbin/rhn_check*
-rwxr-xr-x. root root system_u:object_r:rpm_exec_t:s0  /usr/sbin/rhn_check

Is now:
ls -lZ /usr/sbin/rhn_check*
lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0    13 May 30 11:41 /usr/sbin/rhn_check -> rhn_check-3.6
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 15755 May 30 11:41 /usr/sbin/rhn_check-3.6

However the SELinux context has not yet been updated as new version has bin_t, instead rpm_exec_t which /usr/sbin/rhn_check previously had which causes some issues when rhn_check is executed by a daemon (rhnsd).

Version-Release number of selected component (if applicable):
rhn-client-tools-2.9.8-1.fc28.noarch
selinux-policy-targeted-3.14.1-32.fc28.noarch

How reproducible:
always

Steps to Reproduce:
1. install e.g. rhn-client-tools-2.7.16-1 which have just /usr/sbin/rhn_check
2. check context of /usr/sbin/rhn_check, it is: system_u:object_r:rpm_exec_t:s0
3. install latest version of rhn-client-tools which has python2/python3 split
4. /usr/sbin/rhn_check* has incorrect context as /usr/sbin/rhn_check is a symlink to actual binary.

Actual results:
Incorrect context for /usr/sbin/rhn_check*

Expected results:
/usr/sbin/rhn_check* has following context
system_u:object_r:rpm_exec_t:s0

Additional info:
Affects all versions of Fedora, RHEL as this change on our side has been done for all versions of Fedora and RHEL.
Comment 1 Matthew 2018-06-29 14:00:31 UTC 
Thanks Tomas.
Comment 2 Jan Kurik 2018-08-14 11:17:46 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle.
Changing version to '29'.
Comment 3 Fedora Update System 2018-09-11 12:49:54 UTC 
selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726
Comment 4 Matthew 2018-09-11 13:54:17 UTC 
Will there be an update to RHEL as well for this?
Comment 5 Fedora Update System 2018-09-12 02:55:58 UTC 
selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.