Bug 694879 - [RFE] subscription-manager does not have its own policy (rhsmcertd runs as initrc_t)
Summary: [RFE] subscription-manager does not have its own policy (rhsmcertd runs as in...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: John Sefler
URL:
Whiteboard:
: 692818 728535 (view as bug list)
Depends On:
Blocks: rhsm-rhel62 717654 724941 832330
TreeView+ depends on / blocked
 
Reported: 2011-04-08 17:43 UTC by Jaroslav Kortus
Modified: 2014-06-17 14:07 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-107.el6
Doc Type: Enhancement
Doc Text:
Clone Of:
: 717654 724941 (view as bug list)
Environment:
Last Closed: 2011-12-06 10:07:24 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Jaroslav Kortus 2011-04-08 17:43:40 UTC
Description of problem:
subscription-manager does not have it's own policy

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-82.el6.noarch

How reproducible:
always

Steps to Reproduce:
1.
2.
3.
  
Actual results:
ps auxfwwwZ | grep /usr/bin/rhsmcertd
system_u:system_r:initrc_t:s0   root      1893  0.0  0.0   4036   328 ?        Ss   12:05   0:00 /usr/bin/rhsmcertd 240
$ ls -laZ /usr/bin/rhsmcertd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/rhsmcertd


Expected results:
daemon confined after startup
binary context changed from bin_t

Additional info:

Comment 2 Daniel Walsh 2011-04-08 18:13:14 UTC
This is a 6.2 issue.  Too late for 6.1.

Comment 3 Miroslav Grepl 2011-04-11 07:18:45 UTC
Yes, too late.

Comment 8 Miroslav Grepl 2011-06-29 11:37:25 UTC
I am working on this policy. I believe we have enough time for adding/testing this policy for RHEL6.2.

Comment 10 Miroslav Grepl 2011-06-30 15:46:27 UTC
Fixed in selinux-policy-3.7.19-102.el6

Comment 15 Miroslav Grepl 2011-07-26 12:11:32 UTC
Other combination of these avc msgs.

sys_nice, setsched and read on tmp_t

Milos,
could you add output of authconfig

Comment 16 Milos Malik 2011-07-26 12:31:14 UTC
# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = ""
 LDAP base DN = ""
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = ""
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap uid = "16777216-33554431"
 SMB idmap gid = "16777216-33554431"
nss_sss is disabled by default
nss_wins is disabled
nss_mdns4_minimal is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is sha512
pam_krb5 is disabled
 krb5 realm = "EXAMPLE.COM"
 krb5 realm via dns is disabled
 krb5 kdc = "kerberos.example.com"
 krb5 kdc via dns is disabled
 krb5 admin server = "kerberos.example.com"
pam_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = ""
 LDAP base DN = ""
 LDAP schema = "rfc2307"
pam_pkcs11 is disabled
 use only smartcard for login is disabled
 smartcard module = ""
 smartcard removal action = ""
pam_fprintd is enabled
pam_winbind is disabled
 SMB workgroup = ""
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_sss is disabled by default
 credential caching in SSSD is enabled
 SSSD use instead of legacy services if possible is enabled
pam_cracklib is enabled (try_first_pass retry=3 type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is disabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled
#

Comment 17 Miroslav Grepl 2011-07-28 12:19:45 UTC
Bryan,
any idea?

Comment 18 Bryan Kearney 2011-07-28 12:43:47 UTC
Sorry... any idea on what? If we need to clone it? If so, we should.. yes.

Comment 19 Miroslav Grepl 2011-07-28 12:49:47 UTC
AVC messages from the comment #14.

Comment 20 Bryan Kearney 2011-07-28 18:02:16 UTC
There is a cron job which checks the status of the certifictes. Could that be the issue?

Comment 23 Miroslav Grepl 2011-08-03 11:27:45 UTC
Bryan,
is /usr/libexec/rhsmd also executed by rhsmcertd binary?

Comment 24 Bryan Kearney 2011-08-03 11:58:57 UTC
/usr/libexec/rhsmd is a seperate binary deliverd with the subsription manage rpm.

Comment 25 Miroslav Grepl 2011-08-05 10:24:12 UTC
ok, but is executed by daemon?

Comment 26 Miroslav Grepl 2011-08-05 13:33:23 UTC
*** Bug 728535 has been marked as a duplicate of this bug. ***

Comment 27 Bryan Kearney 2011-08-08 16:17:07 UTC
the rpm delivers a service, rhsm, which in turn invokes /usr/bin/rhsmd. That in turn invokes python executing the file:

/usr/share/rhsm/subscription_manager/certmgr.py

Comment 28 James Bowes 2011-08-08 16:19:08 UTC
rhsmd is run via cron (nightly), and also via dbus activation (in response to a call from our desktop systray icon)

Comment 29 Miroslav Grepl 2011-08-10 15:23:14 UTC
Fixed in selinux-policy-3.7.19-107.el6

Comment 31 Karel Srot 2011-08-23 07:00:26 UTC
*** Bug 692818 has been marked as a duplicate of this bug. ***

Comment 33 errata-xmlrpc 2011-12-06 10:07:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html


Note You need to log in before you can comment on or make changes to this bug.