Bug 1889751

Summary: Bug 1837461 - avc: denied { search } for comm="rhsmd" dev="proc" issue continues after fix has been applied
Product: Red Hat Enterprise Linux 7 Reporter: alsanche
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: medium    
Version: 7.9CC: lvrabec, mmalik, plautrba, ssekidde, vmojzis
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-01 13:12:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description alsanche 2020-10-20 14:06:02 UTC 
Description of problem:

The customer applied the below fixes: 

 ~~~
 selinux-policy-3.13.1-268.el7.noarch                        Wed Oct  7 17:29:40 2020
 selinux-policy-targeted-3.13.1-268.el7.noarch               Wed Oct  7 17:29:56 2020
 ~~~

As advised in Bug 1837461, but the issue persists. As per the same bug I am opening a new bug.

Version-Release number of selected component (if applicable):


How reproducible:

I had customer run the below commands: 

[root@oasostats ~]# semodule -Rv
[root@oasostats ~]# systemctl  restart rhsmcertd
[root@oasostats ~]# date
Thu Oct 15 13:05:10 CDT 2020
#[root@oasostats ~]# systemctl status rhsmcertd
* rhsmcertd.service - Enable periodic update of entitlement certificates.
   Loaded: loaded (/usr/lib/systemd/system/rhsmcertd.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2020-10-15 13:05:04 CDT; 3min 41s ago
  Process: 18258 ExecStart=/usr/bin/rhsmcertd (code=exited, status=0/SUCCESS)
 Main PID: 18266 (rhsmcertd)
    Tasks: 1
   Memory: 172.0K
   CGroup: /system.slice/rhsmcertd.service
           `-18266 /usr/bin/rhsmcertd

Oct 15 13:05:04 oasostats.banxico.org.mx systemd[1]: Starting Enable periodic update of entitlement certificates....
Oct 15 13:05:04 oasostats.banxico.org.mx systemd[1]: Started Enable periodic update of entitlement certificates..

Steps to Reproduce:
1. 
2.
3.

Actual results:

After a few days the below messages keep coming up in the logs: 

----
Oct 16 04:35:38 oasostats com.redhat.SubscriptionManager: Traceback (most recent call last):
Oct 16 04:35:38 oasostats com.redhat.SubscriptionManager: File "/usr/lib64/python2.7/site-packages/subscription_manager/scripts/rhsm_d.py", line 189, in timeout_cb
Oct 16 04:35:38 oasostats com.redhat.SubscriptionManager: if is_rhsm_icon_running():
Oct 16 04:35:38 oasostats com.redhat.SubscriptionManager: File "/usr/lib64/python2.7/site-packages/subscription_manager/scripts/rhsm_d.py", line 229, in is_rhsm_icon_running
Oct 16 04:35:38 oasostats com.redhat.SubscriptionManager: ret = is_process_running('rhsm-icon')
Oct 16 04:35:38 oasostats com.redhat.SubscriptionManager: File "/usr/lib64/python2.7/site-packages/subscription_manager/utils.py", line 643, in is_process_running
Oct 16 04:35:38 oasostats com.redhat.SubscriptionManager: for process_name in get_process_names():
Oct 16 04:35:38 oasostats com.redhat.SubscriptionManager: File "/usr/lib64/python2.7/site-packages/subscription_manager/utils.py", line 632, in get_process_names
Oct 16 04:35:38 oasostats com.redhat.SubscriptionManager: with open(process_status_file_path) as status:
Oct 16 04:35:38 oasostats com.redhat.SubscriptionManager: IOError: [Errno 2] No such file or directory: '/proc/19375/status'
----

Expected results:

For the above to not come up in the logs

Additional info:
Comment 4 Zdenek Pytela 2020-12-01 13:12:15 UTC 
Red Hat Enterprise Linux 7.9 was the last minor release scheduled for RHEL 7 and the product entered Maintenance Support 2 Phase, when Red Hat defined Critical and Important impact Security Advisories and selected Urgent Priority Bug Fix Advisories may be released as they become available.

This bugzilla does not seem to meet the inclusion criteria for Maintenance Phase 2, therefore it is closing now, but if you believe that it qualifies for the Maintenance Support 2 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.

Please refer to the Red Hat Enterprise Linux Life Cycle document for more details:
https://access.redhat.com/support/policy/updates/errata#Maintenance_Support_2_Phase