Bug 855295

Summary: AVCs when running rhsmcertd test with disabled unconfined and unlabelednet
Product: Red Hat Enterprise Linux 6 Reporter: Michal Trunecka <mtruneck>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.4CC: dwalsh, ebenes, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-182.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 08:28:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
AVCs caused by the test script none

Description Michal Trunecka 2012-09-07 09:15:44 UTC 
Created attachment 610671 [details]
AVCs caused by the test script

Description of problem:
When unconfined and unlabelednet modules are disabled, running automated test of rhsmcertd (subscription manager) causes AVCs. AVCs caused by test in permissive mode are attached in file. The test PASSed with no AVCs with both mentioned modules enabled.

Also some policy checks failed with disabled unconfined module:
:: [   FAIL   ] :: Running 'sesearch -s rhsmcertd_t -t var_run_t -c dir -p add_name --allow | grep -B 1 allow' (Expected 0, got 1)
:: [   FAIL   ] :: Running 'sesearch -s rhsmcertd_t -t var_run_t -c dir -p remove_name --allow | grep -B 1 allow' (Expected 0, got 1)
:: [   FAIL   ] :: Running 'sesearch -s rhsmcertd_t -t var_run_t -c dir -p write --allow | grep -B 1 allow' (Expected 0, got 1)
:: [   FAIL   ] :: Running 'sesearch -s rhsmcertd_t -t proc_net_t -c file -p getattr --allow | grep -B 1 allow' (Expected 0, got 1)
:: [   FAIL   ] :: Running 'sesearch -s rhsmcertd_t -t proc_net_t -c file -p open --allow | grep -B 1 allow' (Expected 0, got 1)
:: [   FAIL   ] :: Running 'sesearch -s rhsmcertd_t -t proc_net_t -c file -p read --allow | grep -B 1 allow' (Expected 0, got 1)
:: [   FAIL   ] :: Running 'sesearch -s rhsmcertd_t -t tmp_t -c dir -p read --allow | grep -B 1 allow' (Expected 0, got 1)


Version-Release number of selected component (if applicable):
subscription-manager-0.99.19.4-1.el6_3.x86_64
selinux-policy-3.7.19-155.el6_3.noarch
selinux-policy-targeted-3.7.19-155.el6_3.noarch
selinux-policy-mls-3.7.19-155.el6_3.noarch

How reproducible:
always

Steps to Reproduce:
1. semodule -d unconfined; semodule -d unlabelednet
2. Run following automated test 
/CoreOS/selinux-policy/Regression/bz694879-subscription-manager-and-similar

  
Actual results:
Starting rhsmcertd causes AVCs with disabled unconfined module.

Expected results:
No AVCs.
Comment 2 Miroslav Grepl 2012-09-11 06:20:47 UTC 
Nice catch. I added rules.
Comment 6 Miroslav Grepl 2012-11-26 15:24:33 UTC 
We miss

logging_send_syslog_msg(rhsmcertd_t)
Comment 9 errata-xmlrpc 2013-02-21 08:28:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html