Hide Forgot
Description of problem: subscription-manager does not have it's own policy Version-Release number of selected component (if applicable): selinux-policy-3.7.19-82.el6.noarch How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: ps auxfwwwZ | grep /usr/bin/rhsmcertd system_u:system_r:initrc_t:s0 root 1893 0.0 0.0 4036 328 ? Ss 12:05 0:00 /usr/bin/rhsmcertd 240 $ ls -laZ /usr/bin/rhsmcertd -rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/rhsmcertd Expected results: daemon confined after startup binary context changed from bin_t Additional info:
This is a 6.2 issue. Too late for 6.1.
Yes, too late.
I am working on this policy. I believe we have enough time for adding/testing this policy for RHEL6.2.
Fixed in selinux-policy-3.7.19-102.el6
Other combination of these avc msgs. sys_nice, setsched and read on tmp_t Milos, could you add output of authconfig
# authconfig --test caching is disabled nss_files is always enabled nss_compat is disabled nss_db is disabled nss_hesiod is disabled hesiod LHS = "" hesiod RHS = "" nss_ldap is disabled LDAP+TLS is disabled LDAP server = "" LDAP base DN = "" nss_nis is disabled NIS server = "" NIS domain = "" nss_nisplus is disabled nss_winbind is disabled SMB workgroup = "" SMB servers = "" SMB security = "user" SMB realm = "" Winbind template shell = "/bin/false" SMB idmap uid = "16777216-33554431" SMB idmap gid = "16777216-33554431" nss_sss is disabled by default nss_wins is disabled nss_mdns4_minimal is disabled DNS preference over NSS or WINS is disabled pam_unix is always enabled shadow passwords are enabled password hashing algorithm is sha512 pam_krb5 is disabled krb5 realm = "EXAMPLE.COM" krb5 realm via dns is disabled krb5 kdc = "kerberos.example.com" krb5 kdc via dns is disabled krb5 admin server = "kerberos.example.com" pam_ldap is disabled LDAP+TLS is disabled LDAP server = "" LDAP base DN = "" LDAP schema = "rfc2307" pam_pkcs11 is disabled use only smartcard for login is disabled smartcard module = "" smartcard removal action = "" pam_fprintd is enabled pam_winbind is disabled SMB workgroup = "" SMB servers = "" SMB security = "user" SMB realm = "" pam_sss is disabled by default credential caching in SSSD is enabled SSSD use instead of legacy services if possible is enabled pam_cracklib is enabled (try_first_pass retry=3 type=) pam_passwdqc is disabled () pam_access is disabled () pam_mkhomedir or pam_oddjob_mkhomedir is disabled () Always authorize local users is enabled () Authenticate system accounts against network services is disabled #
Bryan, any idea?
Sorry... any idea on what? If we need to clone it? If so, we should.. yes.
AVC messages from the comment #14.
There is a cron job which checks the status of the certifictes. Could that be the issue?
Bryan, is /usr/libexec/rhsmd also executed by rhsmcertd binary?
/usr/libexec/rhsmd is a seperate binary deliverd with the subsription manage rpm.
ok, but is executed by daemon?
*** Bug 728535 has been marked as a duplicate of this bug. ***
the rpm delivers a service, rhsm, which in turn invokes /usr/bin/rhsmd. That in turn invokes python executing the file: /usr/share/rhsm/subscription_manager/certmgr.py
rhsmd is run via cron (nightly), and also via dbus activation (in response to a call from our desktop systray icon)
Fixed in selinux-policy-3.7.19-107.el6
*** Bug 692818 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html