This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 694879 - [RFE] subscription-manager does not have its own policy (rhsmcertd runs as initrc_t)
[RFE] subscription-manager does not have its own policy (rhsmcertd runs as in...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.1
All Linux
high Severity high
: rc
: ---
Assigned To: Miroslav Grepl
John Sefler
: FutureFeature
: 692818 728535 (view as bug list)
Depends On:
Blocks: rhsm-rhel62 832330 717654 724941
  Show dependency treegraph
 
Reported: 2011-04-08 13:43 EDT by Jaroslav Kortus
Modified: 2014-06-17 10:07 EDT (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-107.el6
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 717654 724941 (view as bug list)
Environment:
Last Closed: 2011-12-06 05:07:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jaroslav Kortus 2011-04-08 13:43:40 EDT
Description of problem:
subscription-manager does not have it's own policy

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-82.el6.noarch

How reproducible:
always

Steps to Reproduce:
1.
2.
3.
  
Actual results:
ps auxfwwwZ | grep /usr/bin/rhsmcertd
system_u:system_r:initrc_t:s0   root      1893  0.0  0.0   4036   328 ?        Ss   12:05   0:00 /usr/bin/rhsmcertd 240
$ ls -laZ /usr/bin/rhsmcertd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/rhsmcertd


Expected results:
daemon confined after startup
binary context changed from bin_t

Additional info:
Comment 2 Daniel Walsh 2011-04-08 14:13:14 EDT
This is a 6.2 issue.  Too late for 6.1.
Comment 3 Miroslav Grepl 2011-04-11 03:18:45 EDT
Yes, too late.
Comment 8 Miroslav Grepl 2011-06-29 07:37:25 EDT
I am working on this policy. I believe we have enough time for adding/testing this policy for RHEL6.2.
Comment 10 Miroslav Grepl 2011-06-30 11:46:27 EDT
Fixed in selinux-policy-3.7.19-102.el6
Comment 15 Miroslav Grepl 2011-07-26 08:11:32 EDT
Other combination of these avc msgs.

sys_nice, setsched and read on tmp_t

Milos,
could you add output of authconfig
Comment 16 Milos Malik 2011-07-26 08:31:14 EDT
# authconfig --test
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = ""
 LDAP base DN = ""
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = ""
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap uid = "16777216-33554431"
 SMB idmap gid = "16777216-33554431"
nss_sss is disabled by default
nss_wins is disabled
nss_mdns4_minimal is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is sha512
pam_krb5 is disabled
 krb5 realm = "EXAMPLE.COM"
 krb5 realm via dns is disabled
 krb5 kdc = "kerberos.example.com"
 krb5 kdc via dns is disabled
 krb5 admin server = "kerberos.example.com"
pam_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = ""
 LDAP base DN = ""
 LDAP schema = "rfc2307"
pam_pkcs11 is disabled
 use only smartcard for login is disabled
 smartcard module = ""
 smartcard removal action = ""
pam_fprintd is enabled
pam_winbind is disabled
 SMB workgroup = ""
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_sss is disabled by default
 credential caching in SSSD is enabled
 SSSD use instead of legacy services if possible is enabled
pam_cracklib is enabled (try_first_pass retry=3 type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is disabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled
#
Comment 17 Miroslav Grepl 2011-07-28 08:19:45 EDT
Bryan,
any idea?
Comment 18 Bryan Kearney 2011-07-28 08:43:47 EDT
Sorry... any idea on what? If we need to clone it? If so, we should.. yes.
Comment 19 Miroslav Grepl 2011-07-28 08:49:47 EDT
AVC messages from the comment #14.
Comment 20 Bryan Kearney 2011-07-28 14:02:16 EDT
There is a cron job which checks the status of the certifictes. Could that be the issue?
Comment 23 Miroslav Grepl 2011-08-03 07:27:45 EDT
Bryan,
is /usr/libexec/rhsmd also executed by rhsmcertd binary?
Comment 24 Bryan Kearney 2011-08-03 07:58:57 EDT
/usr/libexec/rhsmd is a seperate binary deliverd with the subsription manage rpm.
Comment 25 Miroslav Grepl 2011-08-05 06:24:12 EDT
ok, but is executed by daemon?
Comment 26 Miroslav Grepl 2011-08-05 09:33:23 EDT
*** Bug 728535 has been marked as a duplicate of this bug. ***
Comment 27 Bryan Kearney 2011-08-08 12:17:07 EDT
the rpm delivers a service, rhsm, which in turn invokes /usr/bin/rhsmd. That in turn invokes python executing the file:

/usr/share/rhsm/subscription_manager/certmgr.py
Comment 28 James Bowes 2011-08-08 12:19:08 EDT
rhsmd is run via cron (nightly), and also via dbus activation (in response to a call from our desktop systray icon)
Comment 29 Miroslav Grepl 2011-08-10 11:23:14 EDT
Fixed in selinux-policy-3.7.19-107.el6
Comment 31 Karel Srot 2011-08-23 03:00:26 EDT
*** Bug 692818 has been marked as a duplicate of this bug. ***
Comment 33 errata-xmlrpc 2011-12-06 05:07:24 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html

Note You need to log in before you can comment on or make changes to this bug.