Bug 1596508

Summary: /usr/sbin/rhn_check* should have same context as /usr/sbin/rhn_check
Product: Red Hat Enterprise Linux 6 Reporter: Tomáš Kašpárek <tkasparek>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.10CC: benl, dwalsh, lvrabec, mgrepl, mmalik, plautrba, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1596499 Environment:
Last Closed: 2018-06-29 09:26:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1596499, 1596509, 1596510    
Bug Blocks: 1596505, 1596506    

Description Tomáš Kašpárek 2018-06-29 07:13:50 UTC 
+++ This bug was initially created as a clone of Bug #1596499 +++

Description of problem:
During python3 adaptation in Fedora we've split /usr/sbin/rhn_check binary into /usr/sbin/rhn_check-$SUFFIX, where $SUFFIX is Python version (e.g 2.6 for el6 or 3.6 for F28) and into /usr/sbin/rhn_check which is a symlink to to /usr/sbin/rhn_check-$SUFFIX.

E.g. what has previously been:
ls -lZ /usr/sbin/rhn_check*
-rwxr-xr-x. root root system_u:object_r:rpm_exec_t:s0  /usr/sbin/rhn_check

Is now:
ls -lZ /usr/sbin/rhn_check*
lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0    13 May 30 11:41 /usr/sbin/rhn_check -> rhn_check-3.6
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 15755 May 30 11:41 /usr/sbin/rhn_check-3.6

However the SELinux context has not yet been updated as new version has bin_t, instead rpm_exec_t which /usr/sbin/rhn_check previously had which causes some issues when rhn_check is executed by a daemon (rhnsd).

Version-Release number of selected component (if applicable):
rhn-client-tools-2.9.8-1.fc28.noarch
selinux-policy-targeted-3.14.1-32.fc28.noarch

How reproducible:
always

Steps to Reproduce:
1. install e.g. rhn-client-tools-2.7.16-1 which have just /usr/sbin/rhn_check
2. check context of /usr/sbin/rhn_check, it is: system_u:object_r:rpm_exec_t:s0
3. install latest version of rhn-client-tools which has python2/python3 split
4. /usr/sbin/rhn_check* has incorrect context as /usr/sbin/rhn_check is a symlink to actual binary.

Actual results:
Incorrect context for /usr/sbin/rhn_check*

Expected results:
/usr/sbin/rhn_check* has following context
system_u:object_r:rpm_exec_t:s0

Additional info:
Affects all versions of Fedora, RHEL as this change on our side has been done for all versions of Fedora and RHEL.
Comment 2 Lukas Vrabec 2018-06-29 09:26:30 UTC 
RHEL-6 is already in production phase 3, which means that only Critical impact Security Advisories and selected Urgent Priority Bug Fix Advisories may be addressed. Please see https://access.redhat.com/support/policy/updates/errata#Production_3_Phase for further information.

Since this bug does not meet the criteria, we'll close it as WONTFIX. Feel free to discuss this Bug with (Product Management)/Support Representative, if this is a critical issue for the customer/for you. Please provide business justification in such case.

This issue is fixed in Red Hat Enterprise Linux version 6+1/Fedora Rawhide/newer upstream release/is being tracked upstream.