Bug 694879

Summary: [RFE] subscription-manager does not have its own policy (rhsmcertd runs as initrc_t)
Product: Red Hat Enterprise Linux 6 Reporter: Jaroslav Kortus <jkortus>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: John Sefler <jsefler>
Severity: high Docs Contact:
Priority: high    
Version: 6.1CC: bkearney, dwalsh, ksrot, mkhusid, mmalik
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-107.el6 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 717654 724941 (view as bug list) Environment:
Last Closed: 2011-12-06 10:07:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 682238, 717654, 724941, 832330    

Description Jaroslav Kortus 2011-04-08 17:43:40 UTC 
Description of problem:
subscription-manager does not have it's own policy

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-82.el6.noarch

How reproducible:
always

Steps to Reproduce:
1.
2.
3.
  
Actual results:
ps auxfwwwZ | grep /usr/bin/rhsmcertd
system_u:system_r:initrc_t:s0   root      1893  0.0  0.0   4036   328 ?        Ss   12:05   0:00 /usr/bin/rhsmcertd 240
$ ls -laZ /usr/bin/rhsmcertd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/rhsmcertd


Expected results:
daemon confined after startup
binary context changed from bin_t

Additional info:
Comment 2 Daniel Walsh 2011-04-08 18:13:14 UTC 
This is a 6.2 issue.  Too late for 6.1.
Comment 3 Miroslav Grepl 2011-04-11 07:18:45 UTC 
Yes, too late.
Comment 8 Miroslav Grepl 2011-06-29 11:37:25 UTC 
I am working on this policy. I believe we have enough time for adding/testing this policy for RHEL6.2.
Comment 10 Miroslav Grepl 2011-06-30 15:46:27 UTC 
Fixed in selinux-policy-3.7.19-102.el6
Comment 15 Miroslav Grepl 2011-07-26 12:11:32 UTC 
Other combination of these avc msgs.

sys_nice, setsched and read on tmp_t

Milos,
could you add output of authconfig
Comment 16 Milos Malik 2011-07-26 12:31:14 UTC 
# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = ""
 LDAP base DN = ""
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = ""
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap uid = "16777216-33554431"
 SMB idmap gid = "16777216-33554431"
nss_sss is disabled by default
nss_wins is disabled
nss_mdns4_minimal is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is sha512
pam_krb5 is disabled
 krb5 realm = "EXAMPLE.COM"
 krb5 realm via dns is disabled
 krb5 kdc = "kerberos.example.com"
 krb5 kdc via dns is disabled
 krb5 admin server = "kerberos.example.com"
pam_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = ""
 LDAP base DN = ""
 LDAP schema = "rfc2307"
pam_pkcs11 is disabled
 use only smartcard for login is disabled
 smartcard module = ""
 smartcard removal action = ""
pam_fprintd is enabled
pam_winbind is disabled
 SMB workgroup = ""
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_sss is disabled by default
 credential caching in SSSD is enabled
 SSSD use instead of legacy services if possible is enabled
pam_cracklib is enabled (try_first_pass retry=3 type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is disabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled
#
Comment 17 Miroslav Grepl 2011-07-28 12:19:45 UTC 
Bryan,
any idea?
Comment 18 Bryan Kearney 2011-07-28 12:43:47 UTC 
Sorry... any idea on what? If we need to clone it? If so, we should.. yes.
Comment 19 Miroslav Grepl 2011-07-28 12:49:47 UTC 
AVC messages from the comment #14.
Comment 20 Bryan Kearney 2011-07-28 18:02:16 UTC 
There is a cron job which checks the status of the certifictes. Could that be the issue?
Comment 23 Miroslav Grepl 2011-08-03 11:27:45 UTC 
Bryan,
is /usr/libexec/rhsmd also executed by rhsmcertd binary?
Comment 24 Bryan Kearney 2011-08-03 11:58:57 UTC 
/usr/libexec/rhsmd is a seperate binary deliverd with the subsription manage rpm.
Comment 25 Miroslav Grepl 2011-08-05 10:24:12 UTC 
ok, but is executed by daemon?
Comment 26 Miroslav Grepl 2011-08-05 13:33:23 UTC 
*** Bug 728535 has been marked as a duplicate of this bug. ***
Comment 27 Bryan Kearney 2011-08-08 16:17:07 UTC 
the rpm delivers a service, rhsm, which in turn invokes /usr/bin/rhsmd. That in turn invokes python executing the file:

/usr/share/rhsm/subscription_manager/certmgr.py
Comment 28 James Bowes 2011-08-08 16:19:08 UTC 
rhsmd is run via cron (nightly), and also via dbus activation (in response to a call from our desktop systray icon)
Comment 29 Miroslav Grepl 2011-08-10 15:23:14 UTC 
Fixed in selinux-policy-3.7.19-107.el6
Comment 31 Karel Srot 2011-08-23 07:00:26 UTC 
*** Bug 692818 has been marked as a duplicate of this bug. ***
Comment 33 errata-xmlrpc 2011-12-06 10:07:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html