Bug 858235
Summary: | rhnsd: avc: denied { transition } for comm="rhn_check" scontext=unconfined_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:system_r:rpm_script_t:s0 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Milan Zázrivec <mzazrivec> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 6.4 | CC: | cperry, dwalsh, jpazdziora, mmalik, slukasik |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-166.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-21 08:29:16 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Milan Zázrivec
2012-09-18 11:59:58 UTC
I believe confining rhnsd is not a RHEL 6.4 material and the labelling should be reverted in selinux-policy. We should see the change in Fedora for some time before potentially breaking the way our customers deploy package updates to their RHEL machines. unconfined_domain(rhsmcertd_t) Is in RHEL6.4 /usr/bin/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0) Must be running rhn_check. Miroslav we should have rpm_domtrans(rhsmcertd_t) I still don't understand -- and would very much like to have it answered -- why rhnsd (part of rhn-client-tools) should run under rhsmcertd_t (judging by the name a type created for subscription-manager -- a different package doing different things). /usr/bin/rhsmcertd certainly does not execute rhn_check as comment #2 suggests. It's the rhnsd daemon that executes rhn_check. In the current setup, adding rpm_domtrans(rhsmcertd_t) would allow it for both rhnsd and subscription-manager, even if the later one may not need it at all. Thanks. I do not know. I don't see that in Fedora. Miroslav? We have already discussed this issue. The original bug is https://bugzilla.redhat.com/show_bug.cgi?id=834994 I decided to treat rhnsd policy with rhsmcertd policy. Now I see we should have the rhnsd policy and this policy should have rpm_domtrans(rhnsd_t) This is also reason why we have "TestOnly bugs" https://bugzilla.redhat.com/show_bug.cgi?id=846002 to find these issues in this RHEL6 phase when we have a time to fix it. Thank you guys for testing. Will do a new RHEL6 build with a new policy soon. Now just execute # chcon -t bin_t /usr/sbin/rhnsd Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html |