Bug 846001 - type=AVC msg=audit(1344196154.847:445): avc: denied { create } for pid=6975 comm="rhnsd" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:rhsmcertd_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1344196154.847:445): avc: denied { create } for pid=697...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-06 08:56 EDT by Jan Hutař
Modified: 2012-12-20 11:23 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-20 11:23:28 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Hutař 2012-08-06 08:56:15 EDT
Description of problem:
I have noticed rhnsd daemon on F17 (RHN Classic and Spacewalk/RHN Satellite stuff) is labeled with system_u:object_r:rhsmcertd_exec_t:s0 (RHSM = Subscription management stuff) - not sure if this is correct. Also, this AVC appeared:

time->Sun Aug  5 15:49:14 2012
type=SYSCALL msg=audit(1344196154.847:445): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=80002 a2=0 a3=402743 items=0 ppid=1 pid=6975 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhnsd" exe="/usr/sbin/rhnsd" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(1344196154.847:445): avc:  denied  { create } for  pid=6975 comm="rhnsd" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:rhsmcertd_t:s0 tclass=unix_dgram_socket


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.10.0-142.fc17.noarch
rhnsd-4.9.14-2.fc17.x86_64


How reproducible:
always


Steps to Reproduce:
1. Register F17 into the Spacewalk
2. Schedule few remote actions
3. Watch what and how rhnsd behaves and check AVC messages


Actual results:
E.g. just a restart produces (I'm tailing audit.log in the background):
# service rhnsd restart
Restarting rhnsd (via systemctl):  type=AVC msg=audit(1344395738.516:1439): avc:  denied  { create } for  pid=27375 comm="rhnsd" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:rhsmcertd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1344395738.516:1439): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=80002 a2=0 a3=4023a1 items=0 ppid=1 pid=27375 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhnsd" exe="/usr/sbin/rhnsd" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
Aug  7 23:15:38 hp-bl280cg6-01 rhnsd[505]: Stopping Red Hat Network Daemon: [  OK  ]
type=SERVICE_START msg=audit(1344395738.629:1440): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="rhnsd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1344395738.629:1441): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="rhnsd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1344395738.688:1442): avc:  denied  { create } for  pid=518 comm="rhnsd" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:rhsmcertd_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1344395738.688:1442): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=80002 a2=0 a3=402743 items=0 ppid=1 pid=518 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhnsd" exe="/usr/sbin/rhnsd" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
Aug  7 23:15:38 hp-bl280cg6-01 rhnsd[512]: Starting Red Hat Network Daemon: [  OK  ]
type=SERVICE_START msg=audit(1344395738.701:1443): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="rhnsd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[  OK  ]


Expected results:
There should be no AVCs


Additional info:
Please note there are few caveats with rhnsd usage:
 * you have to be registered into Hosted/Satellite/Spacewalk
 * it checks in in quite long intervals, minimum is 60 minutes IIRC
 * it can perform wide range of actions scheduled on Hosted/Satellite/Spacewalk WebUI
Comment 2 Miroslav Grepl 2012-08-06 08:58:26 EDT
Jan,
could you re-test it with

# semanage permissive -a rhsmcertd_t
Comment 3 Jan Hutař 2012-10-16 07:29:49 EDT
Did not helped completely:

# rpm -q selinux-policy
selinux-policy-3.10.0-153.fc17.noarch
# tailf /var/log/audit/audit.log &
# service rhnsd restart
Restarting rhnsd (via systemctl):  type=SERVICE_START msg=audit(1350502100.753:1995): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="rhnsd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1350502100.753:1996): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="rhnsd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1350502100.825:1997): avc:  denied  { read } for  pid=734 comm="rhnsd" name="locale-archive" dev="dm-1" ino=786370 scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file
type=AVC msg=audit(1350502100.825:1997): avc:  denied  { open } for  pid=734 comm="rhnsd" path="/usr/lib/locale/locale-archive" dev="dm-1" ino=786370 scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file
type=SYSCALL msg=audit(1350502100.825:1997): arch=c000003e syscall=2 success=yes exit=3 a0=359fb797c0 a1=80000 a2=359fdb1c00 a3=5 items=0 ppid=733 pid=734 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhnsd" exe="/usr/sbin/rhnsd" subj=system_u:system_r:rhnsd_t:s0 key=(null)
type=AVC msg=audit(1350502100.825:1998): avc:  denied  { getattr } for  pid=734 comm="rhnsd" path="/usr/lib/locale/locale-archive" dev="dm-1" ino=786370 scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file
type=SYSCALL msg=audit(1350502100.825:1998): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=359fdb1c20 a2=359fdb1c20 a3=5 items=0 ppid=733 pid=734 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhnsd" exe="/usr/sbin/rhnsd" subj=system_u:system_r:rhnsd_t:s0 key=(null)
type=SERVICE_START msg=audit(1350502100.873:1999): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="rhnsd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[  OK  ]
# semanage permissive -a rhsmcertd_t
type=USER_ACCT msg=audit(1350502201.563:2000): pid=808 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="nocpulse" exe=2F7573722F7362696E2F63726F6E64202864656C6574656429 hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1350502201.572:2001): pid=808 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="nocpulse" exe=2F7573722F7362696E2F63726F6E64202864656C6574656429 hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1350502201.574:2002): login pid=808 uid=0 old auid=4294967295 new auid=996 old ses=4294967295 new ses=191
type=USER_START msg=audit(1350502201.742:2003): pid=808 uid=0 auid=996 ses=191 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="nocpulse" exe=2F7573722F7362696E2F63726F6E64202864656C6574656429 hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1350502201.854:2004): pid=808 uid=0 auid=996 ses=191 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="nocpulse" exe=2F7573722F7362696E2F63726F6E64202864656C6574656429 hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1350502202.330:2005): pid=808 uid=0 auid=996 ses=191 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="nocpulse" exe=2F7573722F7362696E2F63726F6E64202864656C6574656429 hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1350502202.331:2006): pid=808 uid=0 auid=996 ses=191 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="nocpulse" exe=2F7573722F7362696E2F63726F6E64202864656C6574656429 hostname=? addr=? terminal=cron res=success'
type=MAC_POLICY_LOAD msg=audit(1350502368.466:2007): policy loaded auid=0 ses=190
type=SYSCALL msg=audit(1350502368.466:2007): arch=c000003e syscall=1 success=yes exit=4953678 a0=4 a1=7f370c100000 a2=4b964e a3=7fff20b08010 items=0 ppid=758 pid=858 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=190 comm="load_policy" exe="/usr/sbin/load_policy" subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null)
# service rhnsd restart
Restarting rhnsd (via systemctl):  type=SERVICE_STOP msg=audit(1350502470.634:2008): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="rhnsd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1350502470.691:2009): avc:  denied  { read } for  pid=915 comm="rhnsd" name="locale-archive" dev="dm-1" ino=786370 scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file
[  OK  ]
type=AVC msg=audit(1350502470.691:2009): avc:  denied  { open } for  pid=915 comm="rhnsd" path="/usr/lib/locale/locale-archive" dev="dm-1" ino=786370 scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file
type=SYSCALL msg=audit(1350502470.691:2009): arch=c000003e syscall=2 success=yes exit=3 a0=359fb797c0 a1=80000 a2=359fdb1c00 a3=5 items=0 ppid=914 pid=915 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhnsd" exe="/usr/sbin/rhnsd" subj=system_u:system_r:rhnsd_t:s0 key=(null)
type=AVC msg=audit(1350502470.691:2010): avc:  denied  { getattr } for  pid=915 comm="rhnsd" path="/usr/lib/locale/locale-archive" dev="dm-1" ino=786370 scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file
type=SYSCALL msg=audit(1350502470.691:2010): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=359fdb1c20 a2=359fdb1c20 a3=5 items=0 ppid=914 pid=915 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhnsd" exe="/usr/sbin/rhnsd" subj=system_u:system_r:rhnsd_t:s0 key=(null)
type=SERVICE_START msg=audit(1350502470.721:2011): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="rhnsd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'

These messages about locale_t was not there before.
Comment 4 Miroslav Grepl 2012-10-16 08:18:30 EDT
Added to F17.

commit 599441d012690ddc7246d10cbac070bb44b4a437
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue Oct 16 14:17:51 2012 +0200

    Allow rhnsd to read /usr/lib/locale
Comment 5 Fedora Update System 2012-11-06 03:21:25 EST
selinux-policy-3.10.0-159.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-159.fc17
Comment 6 Fedora Update System 2012-11-07 21:03:29 EST
Package selinux-policy-3.10.0-159.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-159.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-17782/selinux-policy-3.10.0-159.fc17
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2012-12-20 11:23:29 EST
selinux-policy-3.10.0-159.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.