Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1176078

Summary: rhsmd send signull to subscription-manager-gui but that is denied by selinux-policy
Product: Red Hat Enterprise Linux 7 Reporter: Patrik Kis <pkis>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: alikins, dwalsh, lvrabec, mgrepl, mmalik, msaxena, pkis, plautrba, pvrabec, redakkan, ssekidde, wpoteat
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-50.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 10:24:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1121117    

Description Patrik Kis 2014-12-19 11:01:06 UTC 
Description of problem:
rhsmd attempts to send signull to subscription-manager-gui (running under unconfined context because launched by admin), but that is prevented by selinux-policy

type=OBJ_PID msg=audit(12/19/2014 05:30:54.158:731) : opid=25110 oauid=unset ouid=root oses=-1 obj=system_u:system_r:unconfined_service_t:s0 ocomm=subscription-ma 
type=SYSCALL msg=audit(12/19/2014 05:30:54.158:731) : arch=x86_64 syscall=kill success=no exit=-13(Permission denied) a0=0x6216 a1=SIG0 a2=0x62be a3=0x0 items=0 ppid=1 pid=25278 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=KILL 
type=AVC msg=audit(12/19/2014 05:30:54.158:731) : avc:  denied  { signull } for  pid=25278 comm=rhsmd scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process 

I think rhsmd should not send signull to subscription-manager-gui, as it will be probably always running under unconfined context, and apparently it does not really need the information if the gui is running or not as it's been always blocked so it got no result.

Other solution would be to allow this operation or add it to don't audit rules, so CC-ing selinux-devels. But IMHO, rhsmd simply should not check if gui is running or not (why a daemon should do that, anyhow?).

Version-Release number of selected component (if applicable):
subscription-manager-1.13.12-1.el7
selinux-policy-targeted-3.13.1-14.el7
selinux-policy-3.13.1-14.el7

How reproducible:
always

Steps to Reproduce:
Detailed reproducer will follow.
Comment 1 Rehana 2014-12-19 11:17:38 UTC 
Steps to reproduce:

testmachine backgroud:
Physical machine
rhsm.conf file had follwing values set
certCheckInterval = 2
autoAttachInterval = 3

Virt-who and docker installed and running

From host
Launch subscription-manager-gui from Applications --> System Tools --> Red Hat subscription Manager

AVC denail is observed after subscription-manager-gui launch

# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 0.9.26.6-1
subscription management rules: 5.12
subscription-manager: 1.13.12-1.el7
python-rhsm: 1.13.8-1.el7
Comment 2 Adrian Likins 2015-04-24 17:14:02 UTC 
subman's lock.py seems to be the root of this. It tries to create a lock around /var/runs/rhsm/cert.pid, which rhsmdcerd-worker or subscription-manager[-gui] can hold. If either can't acquire it, they try to os.kill(pid_holding_lock, 0). 

As far as I can tell, either should only hold the lock when running some action (updating certs or repos, etc).

rhsmcertd will start a rhsmcertd-worker.py process at certCheckInterval and autoAttachInterval, which eventually will grab the lock around /var/runs/rhsm/cert.pid, as will subscription-manager-gui if it updates certs.

rhsmcertd/rhsmcertd-worker could skip the the os.kill(sub_man_gui.pid, 0), but it could be a bit stuck if the lock isn't cleaned up (though it seems to be pretty good about that).
Comment 3 Adrian Likins 2015-04-24 17:41:19 UTC 
fwiw, the signull/locking is to prevent them from clobbering when writing out ent certs or redhat.repo. Both should have priv to do it. 

The gui should only hold that lock for a few seconds, and only when actively updating certs/repos. If that lock exists for longer than that, something else is also broken.
Comment 4 Miroslav Grepl 2015-04-27 09:03:51 UTC 
unconfined_service_t is a domain type for a service running without confinement. 

Patrik,
what does

# ps -efZ |grep unconfined_service

during the test.
Comment 6 Rehana 2015-04-27 11:30:48 UTC 
Sure, Reproduced the denial 



# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
----
type=SYSCALL msg=audit(04/27/2015 07:18:00.241:195) : arch=x86_64 syscall=kill success=no exit=-13(Permission denied) a0=0x4158 a1=SIG0 a2=0x4186 a3=0x0 items=0 ppid=16625 pid=16774 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) 
type=AVC msg=audit(04/27/2015 07:18:00.241:195) : avc:  denied  { signull } for  pid=16774 comm=rhsmcertd-worke scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process 
----
type=SYSCALL msg=audit(04/27/2015 07:20:00.258:196) : arch=x86_64 syscall=kill success=no exit=-13(Permission denied) a0=0x41b2 a1=SIG0 a2=0x41e5 a3=0x0 items=0 ppid=16625 pid=16869 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) 
type=AVC msg=audit(04/27/2015 07:20:00.258:196) : avc:  denied  { signull } for  pid=16869 comm=rhsmcertd-worke scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process




[root@hp-xw8400-01 Desktop]# ps -efZ |grep unconfined_service
system_u:system_r:unconfined_service_t:s0 root 5046 1  0 06:24 ?       00:00:00 /usr/bin/python /usr/bin/beah-srv
system_u:system_r:unconfined_service_t:s0 root 5047 1  0 06:24 ?       00:00:00 /usr/bin/python /usr/bin/beah-beaker-backend
system_u:system_r:unconfined_service_t:s0 root 5048 1  0 06:24 ?       00:00:00 /usr/bin/python /usr/bin/beah-fwd-backend
system_u:system_r:unconfined_service_t:s0 root 9881 5046  0 06:25 ?    00:00:00 /usr/bin/python /usr/bin/beah-rhts-task
system_u:system_r:unconfined_service_t:s0 root 15920 1  0 06:59 ?      00:00:10 /usr/bin/Xvnc :2 -desktop hp-xw8400-01.rhts.eng.bos.redhat.com:2 (root) -auth /root/.Xauthority -geometry 1024x768 -rfbwait 30000 -rfbauth /root/.vnc/passwd -rfbport 5902 -fp catalogue:/etc/X11/fontpath.d -pn
system_u:system_r:unconfined_service_t:s0 root 15934 1  0 06:59 ?      00:00:00 /usr/bin/vncconfig -iconic
system_u:system_r:unconfined_service_t:s0 root 15936 1  0 06:59 ?      00:00:00 /bin/gnome-session --session=gnome-classic
system_u:system_r:unconfined_service_t:s0 root 15944 1  0 06:59 ?      00:00:00 dbus-launch --sh-syntax --exit-with-session
system_u:system_r:unconfined_service_t:s0 root 15946 1  0 06:59 ?      00:00:00 /bin/dbus-daemon --fork --print-pid 4 --print-address 6 --session
system_u:system_r:unconfined_service_t:s0 root 16015 1  0 06:59 ?      00:00:00 /usr/libexec/imsettings-daemon
system_u:system_r:unconfined_service_t:s0 root 16018 1  0 06:59 ?      00:00:00 /usr/libexec/gvfsd
system_u:system_r:unconfined_service_t:s0 root 16022 1  0 06:59 ?      00:00:00 /usr/libexec//gvfsd-fuse /run/user/0/gvfs -f -o big_writes
system_u:system_r:unconfined_service_t:s0 root 16064 15936  0 06:59 ?  00:00:00 /usr/bin/ssh-agent /etc/X11/xinit/Xclients
system_u:system_r:unconfined_service_t:s0 root 16069 1  0 06:59 ?      00:00:00 /usr/libexec/at-spi-bus-launcher
system_u:system_r:unconfined_service_t:s0 root 16073 16069  0 06:59 ?  00:00:00 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
system_u:system_r:unconfined_service_t:s0 root 16077 1  0 06:59 ?      00:00:00 /usr/libexec/at-spi2-registryd --use-gnome-session
system_u:system_r:unconfined_service_t:s0 root 16099 15936  0 06:59 ?  00:00:00 /usr/libexec/gnome-settings-daemon
system_u:system_r:unconfined_service_t:s0 root 16107 1  0 06:59 ?      00:00:00 /usr/bin/pulseaudio --start
system_u:system_r:unconfined_service_t:s0 root 16110 1  0 06:59 ?      00:00:00 /usr/bin/gnome-keyring-daemon --start --components=gpg
system_u:system_r:unconfined_service_t:s0 root 16128 1  0 06:59 ?      00:00:00 /usr/libexec/dconf-service
system_u:system_r:unconfined_service_t:s0 root 16132 1  0 06:59 ?      00:00:00 /usr/libexec/gvfs-udisks2-volume-monitor
system_u:system_r:unconfined_service_t:s0 root 16137 1  0 06:59 ?      00:00:00 /usr/libexec/gvfs-afc-volume-monitor
system_u:system_r:unconfined_service_t:s0 root 16142 1  0 06:59 ?      00:00:00 /usr/libexec/gvfs-goa-volume-monitor
system_u:system_r:unconfined_service_t:s0 root 16145 1  0 06:59 ?      00:00:00 /usr/libexec/goa-daemon
system_u:system_r:unconfined_service_t:s0 root 16152 1  0 06:59 ?      00:00:00 /usr/libexec/goa-identity-service
system_u:system_r:unconfined_service_t:s0 root 16155 1  0 06:59 ?      00:00:00 /usr/libexec/gvfs-mtp-volume-monitor
system_u:system_r:unconfined_service_t:s0 root 16161 1  0 06:59 ?      00:00:00 /usr/libexec/gvfs-gphoto2-volume-monitor
system_u:system_r:unconfined_service_t:s0 root 16164 15936 12 06:59 ?  00:02:48 /usr/bin/gnome-shell
system_u:system_r:unconfined_service_t:s0 root 16167 1  0 06:59 ?      00:00:00 /usr/libexec/gsd-printer
system_u:system_r:unconfined_service_t:s0 root 16187 1  0 06:59 ?      00:00:00 /usr/bin/ibus-daemon --replace --xim --panel disable
system_u:system_r:unconfined_service_t:s0 root 16191 16187  0 06:59 ?  00:00:00 /usr/libexec/ibus-dconf
system_u:system_r:unconfined_service_t:s0 root 16193 1  0 06:59 ?      00:00:00 /usr/libexec/ibus-x11 --kill-daemon
system_u:system_r:unconfined_service_t:s0 root 16205 1  0 06:59 ?      00:00:00 /usr/libexec/gnome-shell-calendar-server
system_u:system_r:unconfined_service_t:s0 root 16211 1  0 06:59 ?      00:00:00 /usr/libexec/evolution-source-registry
system_u:system_r:unconfined_service_t:s0 root 16214 1  0 06:59 ?      00:00:00 /usr/libexec/mission-control-5
system_u:system_r:unconfined_service_t:s0 root 16223 1  0 06:59 ?      00:00:00 /usr/bin/nautilus --no-default-window
system_u:system_r:unconfined_service_t:s0 root 16246 1  0 06:59 ?      00:00:00 /usr/libexec/evolution-addressbook-factory
system_u:system_r:unconfined_service_t:s0 root 16253 1  0 06:59 ?      00:00:00 /usr/libexec/gconfd-2
system_u:system_r:unconfined_service_t:s0 root 16260 1  0 06:59 ?      00:00:00 /usr/libexec/evolution-calendar-factory
system_u:system_r:unconfined_service_t:s0 root 16266 1  0 06:59 ?      00:00:00 /usr/libexec/gvfsd-trash --spawner :1.4 /org/gtk/gvfs/exec_spaw/0
system_u:system_r:unconfined_service_t:s0 root 16267 15936  0 06:59 ?  00:00:00 abrt-applet
system_u:system_r:unconfined_service_t:s0 root 16271 15936  0 06:59 ?  00:00:00 rhsm-icon
system_u:system_r:unconfined_service_t:s0 root 16274 1  0 06:59 ?      00:00:01 /usr/libexec/tracker-store
system_u:system_r:unconfined_service_t:s0 root 16276 15936  0 06:59 ?  00:00:00 /usr/bin/seapplet
system_u:system_r:unconfined_service_t:s0 root 16283 16187  0 06:59 ?  00:00:00 /usr/libexec/ibus-engine-simple
system_u:system_r:unconfined_service_t:s0 root 16294 15936  0 06:59 ?  00:00:00 /usr/libexec/tracker-miner-fs
system_u:system_r:unconfined_service_t:s0 root 16495 1  0 07:07 ?      00:00:01 /usr/libexec/gnome-terminal-server
system_u:system_r:unconfined_service_t:s0 root 16498 16495  0 07:07 ?  00:00:00 gnome-pty-helper
system_u:system_r:unconfined_service_t:s0 root 16499 16495  0 07:07 pts/1 00:00:00 /bin/bash
system_u:system_r:unconfined_service_t:s0 root 16682 16499  0 07:15 pts/1 00:00:00 tail -f /var/log/rhsm/rhsmcertd.log
system_u:system_r:unconfined_service_t:s0 root 16688 16495  0 07:16 pts/2 00:00:00 bash
system_u:system_r:unconfined_service_t:s0 root 16818 16164  1 07:19 ?  00:00:01 /usr/bin/python /sbin/subscription-manager-gui
system_u:system_r:unconfined_service_t:s0 root 16902 16688  0 07:21 pts/2 00:00:00 ps -efZ
system_u:system_r:unconfined_service_t:s0 root 16903 16688  0 07:21 pts/2 00:00:00 grep --color=auto unconfined_service
[root@hp-xw8400-01 Desktop]#
Comment 7 Milos Malik 2015-04-27 12:33:46 UTC 
Wow! So many processes running as unconfined_service_t.
Comment 8 Adrian Likins 2015-04-27 18:31:39 UTC 
I think it should be okay for rhsmcertd to signull subscription-manager-gui (though I don't entirely understand the implications).

Is this something we can change in the policy specifically for rhsmcertd/subscription-manager-gui without changing unconfined_service_t?

The locking for rhsmcertd could be changed so it doesn't attempt to signull other pids, but that code has been relatively robust so far, so I'd prefer to not have to change it.

Bounding to policy to see if this is something we can special case subscription-manager-gui/rhsmcertd for.

[That said, if cli 'subscription-manager' is running,it likely also holds the lock and would show the same issue, just less likely to happen].
Comment 9 Miroslav Grepl 2015-04-27 18:43:58 UTC 
(In reply to Rehana from comment #6)
> Sure, Reproduced the denial 
> 
> 
> 
> # ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
> ----
> type=SYSCALL msg=audit(04/27/2015 07:18:00.241:195) : arch=x86_64
> syscall=kill success=no exit=-13(Permission denied) a0=0x4158 a1=SIG0
> a2=0x4186 a3=0x0 items=0 ppid=16625 pid=16774 auid=unset uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
> ses=unset comm=rhsmcertd-worke exe=/usr/bin/python2.7
> subj=system_u:system_r:rhsmcertd_t:s0 key=(null) 
> type=AVC msg=audit(04/27/2015 07:18:00.241:195) : avc:  denied  { signull }
> for  pid=16774 comm=rhsmcertd-worke
> scontext=system_u:system_r:rhsmcertd_t:s0
> tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process 
> ----
> type=SYSCALL msg=audit(04/27/2015 07:20:00.258:196) : arch=x86_64
> syscall=kill success=no exit=-13(Permission denied) a0=0x41b2 a1=SIG0
> a2=0x41e5 a3=0x0 items=0 ppid=16625 pid=16869 auid=unset uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
> ses=unset comm=rhsmcertd-worke exe=/usr/bin/python2.7
> subj=system_u:system_r:rhsmcertd_t:s0 key=(null) 
> type=AVC msg=audit(04/27/2015 07:20:00.258:196) : avc:  denied  { signull }
> for  pid=16869 comm=rhsmcertd-worke
> scontext=system_u:system_r:rhsmcertd_t:s0
> tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process
> 
> 
> 
> 
> [root@hp-xw8400-01 Desktop]# ps -efZ |grep unconfined_service
> system_u:system_r:unconfined_service_t:s0 root 5046 1  0 06:24 ?      
> 00:00:00 /usr/bin/python /usr/bin/beah-srv
> system_u:system_r:unconfined_service_t:s0 root 5047 1  0 06:24 ?      
> 00:00:00 /usr/bin/python /usr/bin/beah-beaker-backend
> system_u:system_r:unconfined_service_t:s0 root 5048 1  0 06:24 ?      
> 00:00:00 /usr/bin/python /usr/bin/beah-fwd-backend
> system_u:system_r:unconfined_service_t:s0 root 9881 5046  0 06:25 ?   
> 00:00:00 /usr/bin/python /usr/bin/beah-rhts-task
> system_u:system_r:unconfined_service_t:s0 root 15920 1  0 06:59 ?     
> 00:00:10 /usr/bin/Xvnc :2 -desktop hp-xw8400-01.rhts.eng.bos.redhat.com:2
> (root) -auth /root/.Xauthority -geometry 1024x768 -rfbwait 30000 -rfbauth
> /root/.vnc/passwd -rfbport 5902 -fp catalogue:/etc/X11/fontpath.d -pn
> system_u:system_r:unconfined_service_t:s0 root 15934 1  0 06:59 ?     
> 00:00:00 /usr/bin/vncconfig -iconic
> system_u:system_r:unconfined_service_t:s0 root 15936 1  0 06:59 ?     
> 00:00:00 /bin/gnome-session --session=gnome-classic
> system_u:system_r:unconfined_service_t:s0 root 15944 1  0 06:59 ?     
> 00:00:00 dbus-launch --sh-syntax --exit-with-session
> system_u:system_r:unconfined_service_t:s0 root 15946 1  0 06:59 ?     
> 00:00:00 /bin/dbus-daemon --fork --print-pid 4 --print-address 6 --session
> system_u:system_r:unconfined_service_t:s0 root 16015 1  0 06:59 ?     
> 00:00:00 /usr/libexec/imsettings-daemon
> system_u:system_r:unconfined_service_t:s0 root 16018 1  0 06:59 ?     
> 00:00:00 /usr/libexec/gvfsd
> system_u:system_r:unconfined_service_t:s0 root 16022 1  0 06:59 ?     
> 00:00:00 /usr/libexec//gvfsd-fuse /run/user/0/gvfs -f -o big_writes
> system_u:system_r:unconfined_service_t:s0 root 16064 15936  0 06:59 ? 
> 00:00:00 /usr/bin/ssh-agent /etc/X11/xinit/Xclients
> system_u:system_r:unconfined_service_t:s0 root 16069 1  0 06:59 ?     
> 00:00:00 /usr/libexec/at-spi-bus-launcher
> system_u:system_r:unconfined_service_t:s0 root 16073 16069  0 06:59 ? 
> 00:00:00 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf
> --nofork --print-address 3
> system_u:system_r:unconfined_service_t:s0 root 16077 1  0 06:59 ?     
> 00:00:00 /usr/libexec/at-spi2-registryd --use-gnome-session
> system_u:system_r:unconfined_service_t:s0 root 16099 15936  0 06:59 ? 
> 00:00:00 /usr/libexec/gnome-settings-daemon
> system_u:system_r:unconfined_service_t:s0 root 16107 1  0 06:59 ?     
> 00:00:00 /usr/bin/pulseaudio --start
> system_u:system_r:unconfined_service_t:s0 root 16110 1  0 06:59 ?     
> 00:00:00 /usr/bin/gnome-keyring-daemon --start --components=gpg
> system_u:system_r:unconfined_service_t:s0 root 16128 1  0 06:59 ?     
> 00:00:00 /usr/libexec/dconf-service
> system_u:system_r:unconfined_service_t:s0 root 16132 1  0 06:59 ?     
> 00:00:00 /usr/libexec/gvfs-udisks2-volume-monitor
> system_u:system_r:unconfined_service_t:s0 root 16137 1  0 06:59 ?     
> 00:00:00 /usr/libexec/gvfs-afc-volume-monitor
> system_u:system_r:unconfined_service_t:s0 root 16142 1  0 06:59 ?     
> 00:00:00 /usr/libexec/gvfs-goa-volume-monitor
> system_u:system_r:unconfined_service_t:s0 root 16145 1  0 06:59 ?     
> 00:00:00 /usr/libexec/goa-daemon
> system_u:system_r:unconfined_service_t:s0 root 16152 1  0 06:59 ?     
> 00:00:00 /usr/libexec/goa-identity-service
> system_u:system_r:unconfined_service_t:s0 root 16155 1  0 06:59 ?     
> 00:00:00 /usr/libexec/gvfs-mtp-volume-monitor
> system_u:system_r:unconfined_service_t:s0 root 16161 1  0 06:59 ?     
> 00:00:00 /usr/libexec/gvfs-gphoto2-volume-monitor
> system_u:system_r:unconfined_service_t:s0 root 16164 15936 12 06:59 ? 
> 00:02:48 /usr/bin/gnome-shell
> system_u:system_r:unconfined_service_t:s0 root 16167 1  0 06:59 ?     
> 00:00:00 /usr/libexec/gsd-printer
> system_u:system_r:unconfined_service_t:s0 root 16187 1  0 06:59 ?     
> 00:00:00 /usr/bin/ibus-daemon --replace --xim --panel disable
> system_u:system_r:unconfined_service_t:s0 root 16191 16187  0 06:59 ? 
> 00:00:00 /usr/libexec/ibus-dconf
> system_u:system_r:unconfined_service_t:s0 root 16193 1  0 06:59 ?     
> 00:00:00 /usr/libexec/ibus-x11 --kill-daemon
> system_u:system_r:unconfined_service_t:s0 root 16205 1  0 06:59 ?     
> 00:00:00 /usr/libexec/gnome-shell-calendar-server
> system_u:system_r:unconfined_service_t:s0 root 16211 1  0 06:59 ?     
> 00:00:00 /usr/libexec/evolution-source-registry
> system_u:system_r:unconfined_service_t:s0 root 16214 1  0 06:59 ?     
> 00:00:00 /usr/libexec/mission-control-5
> system_u:system_r:unconfined_service_t:s0 root 16223 1  0 06:59 ?     
> 00:00:00 /usr/bin/nautilus --no-default-window
> system_u:system_r:unconfined_service_t:s0 root 16246 1  0 06:59 ?     
> 00:00:00 /usr/libexec/evolution-addressbook-factory
> system_u:system_r:unconfined_service_t:s0 root 16253 1  0 06:59 ?     
> 00:00:00 /usr/libexec/gconfd-2
> system_u:system_r:unconfined_service_t:s0 root 16260 1  0 06:59 ?     
> 00:00:00 /usr/libexec/evolution-calendar-factory
> system_u:system_r:unconfined_service_t:s0 root 16266 1  0 06:59 ?     
> 00:00:00 /usr/libexec/gvfsd-trash --spawner :1.4 /org/gtk/gvfs/exec_spaw/0
> system_u:system_r:unconfined_service_t:s0 root 16267 15936  0 06:59 ? 
> 00:00:00 abrt-applet
> system_u:system_r:unconfined_service_t:s0 root 16271 15936  0 06:59 ? 
> 00:00:00 rhsm-icon
> system_u:system_r:unconfined_service_t:s0 root 16274 1  0 06:59 ?     
> 00:00:01 /usr/libexec/tracker-store
> system_u:system_r:unconfined_service_t:s0 root 16276 15936  0 06:59 ? 
> 00:00:00 /usr/bin/seapplet
> system_u:system_r:unconfined_service_t:s0 root 16283 16187  0 06:59 ? 
> 00:00:00 /usr/libexec/ibus-engine-simple
> system_u:system_r:unconfined_service_t:s0 root 16294 15936  0 06:59 ? 
> 00:00:00 /usr/libexec/tracker-miner-fs
> system_u:system_r:unconfined_service_t:s0 root 16495 1  0 07:07 ?     
> 00:00:01 /usr/libexec/gnome-terminal-server
> system_u:system_r:unconfined_service_t:s0 root 16498 16495  0 07:07 ? 
> 00:00:00 gnome-pty-helper
> system_u:system_r:unconfined_service_t:s0 root 16499 16495  0 07:07 pts/1
> 00:00:00 /bin/bash
> system_u:system_r:unconfined_service_t:s0 root 16682 16499  0 07:15 pts/1
> 00:00:00 tail -f /var/log/rhsm/rhsmcertd.log
> system_u:system_r:unconfined_service_t:s0 root 16688 16495  0 07:16 pts/2
> 00:00:00 bash
> system_u:system_r:unconfined_service_t:s0 root 16818 16164  1 07:19 ? 
> 00:00:01 /usr/bin/python /sbin/subscription-manager-gui
> system_u:system_r:unconfined_service_t:s0 root 16902 16688  0 07:21 pts/2
> 00:00:00 ps -efZ
> system_u:system_r:unconfined_service_t:s0 root 16903 16688  0 07:21 pts/2
> 00:00:00 grep --color=auto unconfined_service
> [root@hp-xw8400-01 Desktop]#

This is a problem with Xvnc.

Could you try to test it without Xvnc?
Comment 10 Rehana 2015-04-28 08:05:03 UTC 
root@dhcp71-18 Desktop]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
----
type=SYSCALL msg=audit(04/28/2015 03:10:20.329:6540) : arch=x86_64 syscall=kill success=no exit=-13(Permission denied) a0=0x39a a1=SIG0 a2=0x39b a3=0x0 items=0 ppid=396 pid=923 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) 
type=AVC msg=audit(04/28/2015 03:10:20.329:6540) : avc:  denied  { signull } for  pid=923 comm=rhsmcertd-worke scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=process 

[root@dhcp71-18 Desktop]# ps -efZ| grep unconfined_service
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2336 32743  0 03:42 pts/1 00:00:00 grep --color=auto unconfined_service

Reproduced above failure on Guest machine ( without using Xvnc). 

note: 
AVC denials Not always reproducible on guest machine when compared with physical machine..i m not sure if that's related or not
Comment 11 Lukas Vrabec 2015-08-04 13:07:46 UTC 
Hi, 

So what is solution? Allow it or dontaudit?
Comment 12 Patrik Kis 2015-08-04 15:55:54 UTC 
(In reply to Lukas Vrabec from comment #11)
> Hi, 
> 
> So what is solution? Allow it or dontaudit?

I don't think I'm the right person who should decide this (I barely know anything about rhsmd and co.).

Adrian says they'd like to let their program sending signull, and I think it's up to you selinux-policy developers to decide if this is a legitimate action or not. If yes, I believe you should allow it, if not but it's a sort of "common practice" and does not violate any security issue, probably donataudit.
Comment 13 Miroslav Grepl 2015-08-05 07:36:16 UTC 
We have more problems here. We have services running as unconfined_service_t. I don't see any security issue with signull for 

system_u:system_r:unconfined_service_t:s0 root 16818 16164  1 07:19 ?  00:00:01 /usr/bin/python /sbin/subscription-manager-gui

We are not going to confined it in 7.2. But we should open a new bug for 7.3 to play around it.

So let's allow signull for now.
Comment 14 Lukas Vrabec 2015-08-05 12:29:11 UTC 
commit 5cd81793cf5bab971eb68b3dff6236b4ecf83453
Author: Lukas Vrabec <lvrabec>
Date:   Wed Aug 5 13:18:22 2015 +0200

    Allow rhsmcertd to send signull to unconfined_service.
Comment 20 errata-xmlrpc 2015-11-19 10:24:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html