Bug 1466430 - Allow rhnsd daemon to send signal to rhn_check
Allow rhnsd daemon to send signal to rhn_check
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
Depends On:
  Show dependency treegraph
Reported: 2017-06-29 10:55 EDT by Lukáš Hellebrandt
Modified: 2017-11-07 07:04 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-11-07 07:04:39 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Lukáš Hellebrandt 2017-06-29 10:55:36 EDT
Description of problem:
When rhnsd is run as daemon (service rhnsd start), it can not send signal to rhn_check, which we need to do in bug 1409562. The AVC denial message is:

type=AVC msg=audit(1498655994.166:122): avc:  denied  { signal } for  pid=2993 comm="rhnsd" scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=process

Steps to Reproduce:
1. Have a Client (with setenforce 1) registered to some Satellite 5, with provisioning and packages necessary for remote command execution installed
2. Schedule a remote command with long sleep to the Client
3. Wait for rhnsd to run rhn_check
4. After the command is in picked-up state, kill rhnsd with SIGTERM
5. This should cause rhnsd to send SIGTERM to the running rhn_check
6. Mentioned AVC denial occurs, rhn_check doesn't receive the signal and rhnsd waits indefinitely for rhn_check's termination

This also happens in 7.3 with package versions in which the mentioned BZ is fixed.
Comment 2 Milos Malik 2017-06-29 12:30:22 EDT
The SELinux denial mentioned in comment#0 was caught in enforcing mode, right? Could re-run your scenario in permissive mode and collect SELinux denials? The permissive mode may reveal other SELinux denials.

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Thank you

Note You need to log in before you can comment on or make changes to this bug.