First Last Prev Next    This bug is not in your last search results.
Bug 1466430 - Allow rhnsd daemon to send signal to rhn_check
Allow rhnsd daemon to send signal to rhn_check
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.4
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-29 10:55 EDT by Lukáš Hellebrandt
Modified: 2017-08-01 03:43 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Lukáš Hellebrandt 2017-06-29 10:55:36 EDT 
Description of problem:
When rhnsd is run as daemon (service rhnsd start), it can not send signal to rhn_check, which we need to do in bug 1409562. The AVC denial message is:

type=AVC msg=audit(1498655994.166:122): avc:  denied  { signal } for  pid=2993 comm="rhnsd" scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=process

Steps to Reproduce:
1. Have a Client (with setenforce 1) registered to some Satellite 5, with provisioning and packages necessary for remote command execution installed
2. Schedule a remote command with long sleep to the Client
3. Wait for rhnsd to run rhn_check
4. After the command is in picked-up state, kill rhnsd with SIGTERM
5. This should cause rhnsd to send SIGTERM to the running rhn_check
6. Mentioned AVC denial occurs, rhn_check doesn't receive the signal and rhnsd waits indefinitely for rhn_check's termination

This also happens in 7.3 with package versions in which the mentioned BZ is fixed.
Comment 2 Milos Malik 2017-06-29 12:30:22 EDT 
The SELinux denial mentioned in comment#0 was caught in enforcing mode, right? Could re-run your scenario in permissive mode and collect SELinux denials? The permissive mode may reveal other SELinux denials.

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Thank you
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.