RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1464454 - selinux denials when launching online documentation from subscription-manager-gui
Summary: selinux denials when launching online documentation from subscription-manager...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.4
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-23 13:03 UTC by Rehana
Modified: 2017-07-18 12:15 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-07-18 12:15:43 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Rehana 2017-06-23 13:03:21 UTC 
Description of problem:
selinux denials when launching online documentation from subscription-manager-gui

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-164.el7.noarch
selinux-policy-targeted-3.13.1-164.el7.noarch
python-rhsm-1.19.9-1.el7.x86_64
python-rhsm-certificates-1.19.9-1.el7.x86_64
subscription-manager-gui-1.19.20-1.el7.x86_64
subscription-manager-1.19.20-1.el7.x86_64
subscription-manager-initial-setup-addon-1.19.20-1.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1.Install RHEL with GUI
2.Launch subscription-manager-gui
3.go to Help --> Online documentation 

Actual results:
Observed selinux denials on the system, though the firefox browser came up after some time

Expected results:
No denials 

Additional info:

root@dhcp35-134 ~]# START_DATE_TIME=`date "+%m/%d/%Y %T"`
[root@dhcp35-134 ~]#  ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
<no matches>
[root@dhcp35-134 ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[root@dhcp35-134 ~]#  ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
----
type=PROCTITLE msg=audit(06/23/2017 17:08:18.628:200) : proctitle=gdm-session-worker [pam/gdm-password] 
type=SYSCALL msg=audit(06/23/2017 17:08:18.628:200) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x55a1e84d7360 a1=0700 a2=0x55a1e84d7370 a3=0x0 items=0 ppid=1823 pid=1853 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/23/2017 17:08:18.628:200) : avc:  denied  { create } for  pid=1853 comm=gdm-session-wor name=gdm scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
Comment 2 Milos Malik 2017-06-26 07:09:07 UTC 
Did you log in via GDM as root?
Comment 3 Rehana 2017-06-27 06:47:09 UTC 
(In reply to Milos Malik from comment #2)
> Did you log in via GDM as root?

yes , i logged in via GUI to the system.
Comment 4 Rehana 2017-07-05 10:36:15 UTC 
On RHEL7.4 RC1.0 compose ( server variant) seeing a different denial message when launched online documentation from subscription-manager gui (gnome session) , the web page was launched after some time; Sharing the information for reference

----
type=PROCTITLE msg=audit(07/05/2017 06:34:07.810:245) : proctitle=/usr/lib64/firefox/plugin-container -greomni /usr/lib64/firefox/omni.ja -appomni /usr/lib64/firefox/browser/omni.ja -appdir /usr 
type=SYSCALL msg=audit(07/05/2017 06:34:07.810:245) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f8c3d69fc00 a1=O_RDONLY a2=0x1b6 a3=0x7f8c3d6cc400 items=0 ppid=3506 pid=3580 auid=tester uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=Web Content exe=/usr/lib64/firefox/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(07/05/2017 06:34:07.810:245) : avc:  denied  { read } for  pid=3580 comm=Web Content name=user-dirs.dirs dev="dm-0" ino=5450089 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
Comment 5 Lukas Vrabec 2017-07-18 12:15:43 UTC 
Rehana, 

We do *NOT* support this. From security reasons please use regular user to login via GUI. 

Closing as NOTABUG.

Thanks,
Lukas
Note You need to log in before you can comment on or make changes to this bug.