Bug 858235
| Summary: | rhnsd: avc: denied { transition } for comm="rhn_check" scontext=unconfined_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:system_r:rpm_script_t:s0 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Milan Zázrivec <mzazrivec> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.4 | CC: | cperry, dwalsh, jpazdziora, mmalik, slukasik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-166.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-21 08:29:16 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I believe confining rhnsd is not a RHEL 6.4 material and the labelling should be reverted in selinux-policy. We should see the change in Fedora for some time before potentially breaking the way our customers deploy package updates to their RHEL machines. unconfined_domain(rhsmcertd_t) Is in RHEL6.4 /usr/bin/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0) Must be running rhn_check. Miroslav we should have rpm_domtrans(rhsmcertd_t) I still don't understand -- and would very much like to have it answered -- why rhnsd (part of rhn-client-tools) should run under rhsmcertd_t (judging by the name a type created for subscription-manager -- a different package doing different things). /usr/bin/rhsmcertd certainly does not execute rhn_check as comment #2 suggests. It's the rhnsd daemon that executes rhn_check. In the current setup, adding rpm_domtrans(rhsmcertd_t) would allow it for both rhnsd and subscription-manager, even if the later one may not need it at all. Thanks. I do not know. I don't see that in Fedora. Miroslav? We have already discussed this issue. The original bug is https://bugzilla.redhat.com/show_bug.cgi?id=834994 I decided to treat rhnsd policy with rhsmcertd policy. Now I see we should have the rhnsd policy and this policy should have rpm_domtrans(rhnsd_t) This is also reason why we have "TestOnly bugs" https://bugzilla.redhat.com/show_bug.cgi?id=846002 to find these issues in this RHEL6 phase when we have a time to fix it. Thank you guys for testing. Will do a new RHEL6 build with a new policy soon. Now just execute # chcon -t bin_t /usr/sbin/rhnsd Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html |
Description of problem: As things are, rhnsd in RHEL-6.4 runs as rhsmcertd_t (Why rhsmcertd_t anyway? rhnsd and rhsm are different things really) and produces the following denial when attempting to install a package (previously scheduled action): type=AVC msg=audit(1347930972.794:18394): avc: denied { transition } for pid=6780 comm="rhn_check" path="/bin/bash" dev=dm-0 ino=29780 scontext=unconfined_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:system_r:rpm_script_t:s0 tclass=process Version-Release number of selected component (if applicable): selinux-policy-3.7.19-162.el6 How reproducible: Always Steps to Reproduce: 1. RHEL-6.4, registered to RHN / RHN Satellite, running rhnsd 2. Schedule a package installation 3. Wait for rhnsd to wake up and run rhn_check Actual results: The SELinux denial above. Expected results: No denials. Additional info: N/A