Bug 1464454 - selinux denials when launching online documentation from subscription-manager-gui
selinux denials when launching online documentation from subscription-manager...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.4
Unspecified Unspecified
low Severity low
: rc
: ---
Assigned To: Lukas Vrabec
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-23 09:03 EDT by Rehana
Modified: 2017-07-18 08:15 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-18 08:15:43 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rehana 2017-06-23 09:03:21 EDT
Description of problem:
selinux denials when launching online documentation from subscription-manager-gui

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-164.el7.noarch
selinux-policy-targeted-3.13.1-164.el7.noarch
python-rhsm-1.19.9-1.el7.x86_64
python-rhsm-certificates-1.19.9-1.el7.x86_64
subscription-manager-gui-1.19.20-1.el7.x86_64
subscription-manager-1.19.20-1.el7.x86_64
subscription-manager-initial-setup-addon-1.19.20-1.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1.Install RHEL with GUI
2.Launch subscription-manager-gui
3.go to Help --> Online documentation 

Actual results:
Observed selinux denials on the system, though the firefox browser came up after some time

Expected results:
No denials 

Additional info:

root@dhcp35-134 ~]# START_DATE_TIME=`date "+%m/%d/%Y %T"`
[root@dhcp35-134 ~]#  ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
<no matches>
[root@dhcp35-134 ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[root@dhcp35-134 ~]#  ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
----
type=PROCTITLE msg=audit(06/23/2017 17:08:18.628:200) : proctitle=gdm-session-worker [pam/gdm-password] 
type=SYSCALL msg=audit(06/23/2017 17:08:18.628:200) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x55a1e84d7360 a1=0700 a2=0x55a1e84d7370 a3=0x0 items=0 ppid=1823 pid=1853 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4 comm=gdm-session-wor exe=/usr/libexec/gdm-session-worker subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/23/2017 17:08:18.628:200) : avc:  denied  { create } for  pid=1853 comm=gdm-session-wor name=gdm scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
Comment 2 Milos Malik 2017-06-26 03:09:07 EDT
Did you log in via GDM as root?
Comment 3 Rehana 2017-06-27 02:47:09 EDT
(In reply to Milos Malik from comment #2)
> Did you log in via GDM as root?

yes , i logged in via GUI to the system.
Comment 4 Rehana 2017-07-05 06:36:15 EDT
On RHEL7.4 RC1.0 compose ( server variant) seeing a different denial message when launched online documentation from subscription-manager gui (gnome session) , the web page was launched after some time; Sharing the information for reference

----
type=PROCTITLE msg=audit(07/05/2017 06:34:07.810:245) : proctitle=/usr/lib64/firefox/plugin-container -greomni /usr/lib64/firefox/omni.ja -appomni /usr/lib64/firefox/browser/omni.ja -appdir /usr 
type=SYSCALL msg=audit(07/05/2017 06:34:07.810:245) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f8c3d69fc00 a1=O_RDONLY a2=0x1b6 a3=0x7f8c3d6cc400 items=0 ppid=3506 pid=3580 auid=tester uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=2 comm=Web Content exe=/usr/lib64/firefox/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(07/05/2017 06:34:07.810:245) : avc:  denied  { read } for  pid=3580 comm=Web Content name=user-dirs.dirs dev="dm-0" ino=5450089 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
Comment 5 Lukas Vrabec 2017-07-18 08:15:43 EDT
Rehana, 

We do *NOT* support this. From security reasons please use regular user to login via GUI. 

Closing as NOTABUG.

Thanks,
Lukas

Note You need to log in before you can comment on or make changes to this bug.