Description of problem: I have noticed rhnsd daemon on F17 (RHN Classic and Spacewalk/RHN Satellite stuff) is labeled with system_u:object_r:rhsmcertd_exec_t:s0 (RHSM = Subscription management stuff) - not sure if this is correct. Also, this AVC appeared: time->Sun Aug 5 15:49:14 2012 type=SYSCALL msg=audit(1344196154.847:445): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=80002 a2=0 a3=402743 items=0 ppid=1 pid=6975 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhnsd" exe="/usr/sbin/rhnsd" subj=system_u:system_r:rhsmcertd_t:s0 key=(null) type=AVC msg=audit(1344196154.847:445): avc: denied { create } for pid=6975 comm="rhnsd" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:rhsmcertd_t:s0 tclass=unix_dgram_socket Version-Release number of selected component (if applicable): selinux-policy-targeted-3.10.0-142.fc17.noarch rhnsd-4.9.14-2.fc17.x86_64 How reproducible: always Steps to Reproduce: 1. Register F17 into the Spacewalk 2. Schedule few remote actions 3. Watch what and how rhnsd behaves and check AVC messages Actual results: E.g. just a restart produces (I'm tailing audit.log in the background): # service rhnsd restart Restarting rhnsd (via systemctl): type=AVC msg=audit(1344395738.516:1439): avc: denied { create } for pid=27375 comm="rhnsd" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:rhsmcertd_t:s0 tclass=unix_dgram_socket type=SYSCALL msg=audit(1344395738.516:1439): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=80002 a2=0 a3=4023a1 items=0 ppid=1 pid=27375 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhnsd" exe="/usr/sbin/rhnsd" subj=system_u:system_r:rhsmcertd_t:s0 key=(null) Aug 7 23:15:38 hp-bl280cg6-01 rhnsd[505]: Stopping Red Hat Network Daemon: [ OK ] type=SERVICE_START msg=audit(1344395738.629:1440): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="rhnsd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_STOP msg=audit(1344395738.629:1441): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="rhnsd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1344395738.688:1442): avc: denied { create } for pid=518 comm="rhnsd" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:rhsmcertd_t:s0 tclass=unix_dgram_socket type=SYSCALL msg=audit(1344395738.688:1442): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=80002 a2=0 a3=402743 items=0 ppid=1 pid=518 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhnsd" exe="/usr/sbin/rhnsd" subj=system_u:system_r:rhsmcertd_t:s0 key=(null) Aug 7 23:15:38 hp-bl280cg6-01 rhnsd[512]: Starting Red Hat Network Daemon: [ OK ] type=SERVICE_START msg=audit(1344395738.701:1443): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="rhnsd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ OK ] Expected results: There should be no AVCs Additional info: Please note there are few caveats with rhnsd usage: * you have to be registered into Hosted/Satellite/Spacewalk * it checks in in quite long intervals, minimum is 60 minutes IIRC * it can perform wide range of actions scheduled on Hosted/Satellite/Spacewalk WebUI
Jan, could you re-test it with # semanage permissive -a rhsmcertd_t
Did not helped completely: # rpm -q selinux-policy selinux-policy-3.10.0-153.fc17.noarch # tailf /var/log/audit/audit.log & # service rhnsd restart Restarting rhnsd (via systemctl): type=SERVICE_START msg=audit(1350502100.753:1995): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="rhnsd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_STOP msg=audit(1350502100.753:1996): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="rhnsd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1350502100.825:1997): avc: denied { read } for pid=734 comm="rhnsd" name="locale-archive" dev="dm-1" ino=786370 scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file type=AVC msg=audit(1350502100.825:1997): avc: denied { open } for pid=734 comm="rhnsd" path="/usr/lib/locale/locale-archive" dev="dm-1" ino=786370 scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file type=SYSCALL msg=audit(1350502100.825:1997): arch=c000003e syscall=2 success=yes exit=3 a0=359fb797c0 a1=80000 a2=359fdb1c00 a3=5 items=0 ppid=733 pid=734 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhnsd" exe="/usr/sbin/rhnsd" subj=system_u:system_r:rhnsd_t:s0 key=(null) type=AVC msg=audit(1350502100.825:1998): avc: denied { getattr } for pid=734 comm="rhnsd" path="/usr/lib/locale/locale-archive" dev="dm-1" ino=786370 scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file type=SYSCALL msg=audit(1350502100.825:1998): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=359fdb1c20 a2=359fdb1c20 a3=5 items=0 ppid=733 pid=734 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhnsd" exe="/usr/sbin/rhnsd" subj=system_u:system_r:rhnsd_t:s0 key=(null) type=SERVICE_START msg=audit(1350502100.873:1999): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="rhnsd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ OK ] # semanage permissive -a rhsmcertd_t type=USER_ACCT msg=audit(1350502201.563:2000): pid=808 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="nocpulse" exe=2F7573722F7362696E2F63726F6E64202864656C6574656429 hostname=? addr=? terminal=cron res=success' type=CRED_ACQ msg=audit(1350502201.572:2001): pid=808 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="nocpulse" exe=2F7573722F7362696E2F63726F6E64202864656C6574656429 hostname=? addr=? terminal=cron res=success' type=LOGIN msg=audit(1350502201.574:2002): login pid=808 uid=0 old auid=4294967295 new auid=996 old ses=4294967295 new ses=191 type=USER_START msg=audit(1350502201.742:2003): pid=808 uid=0 auid=996 ses=191 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="nocpulse" exe=2F7573722F7362696E2F63726F6E64202864656C6574656429 hostname=? addr=? terminal=cron res=success' type=CRED_REFR msg=audit(1350502201.854:2004): pid=808 uid=0 auid=996 ses=191 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="nocpulse" exe=2F7573722F7362696E2F63726F6E64202864656C6574656429 hostname=? addr=? terminal=cron res=success' type=CRED_DISP msg=audit(1350502202.330:2005): pid=808 uid=0 auid=996 ses=191 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="nocpulse" exe=2F7573722F7362696E2F63726F6E64202864656C6574656429 hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1350502202.331:2006): pid=808 uid=0 auid=996 ses=191 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="nocpulse" exe=2F7573722F7362696E2F63726F6E64202864656C6574656429 hostname=? addr=? terminal=cron res=success' type=MAC_POLICY_LOAD msg=audit(1350502368.466:2007): policy loaded auid=0 ses=190 type=SYSCALL msg=audit(1350502368.466:2007): arch=c000003e syscall=1 success=yes exit=4953678 a0=4 a1=7f370c100000 a2=4b964e a3=7fff20b08010 items=0 ppid=758 pid=858 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=190 comm="load_policy" exe="/usr/sbin/load_policy" subj=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 key=(null) # service rhnsd restart Restarting rhnsd (via systemctl): type=SERVICE_STOP msg=audit(1350502470.634:2008): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="rhnsd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1350502470.691:2009): avc: denied { read } for pid=915 comm="rhnsd" name="locale-archive" dev="dm-1" ino=786370 scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file [ OK ] type=AVC msg=audit(1350502470.691:2009): avc: denied { open } for pid=915 comm="rhnsd" path="/usr/lib/locale/locale-archive" dev="dm-1" ino=786370 scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file type=SYSCALL msg=audit(1350502470.691:2009): arch=c000003e syscall=2 success=yes exit=3 a0=359fb797c0 a1=80000 a2=359fdb1c00 a3=5 items=0 ppid=914 pid=915 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhnsd" exe="/usr/sbin/rhnsd" subj=system_u:system_r:rhnsd_t:s0 key=(null) type=AVC msg=audit(1350502470.691:2010): avc: denied { getattr } for pid=915 comm="rhnsd" path="/usr/lib/locale/locale-archive" dev="dm-1" ino=786370 scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file type=SYSCALL msg=audit(1350502470.691:2010): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=359fdb1c20 a2=359fdb1c20 a3=5 items=0 ppid=914 pid=915 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhnsd" exe="/usr/sbin/rhnsd" subj=system_u:system_r:rhnsd_t:s0 key=(null) type=SERVICE_START msg=audit(1350502470.721:2011): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="rhnsd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' These messages about locale_t was not there before.
Added to F17. commit 599441d012690ddc7246d10cbac070bb44b4a437 Author: Miroslav Grepl <mgrepl> Date: Tue Oct 16 14:17:51 2012 +0200 Allow rhnsd to read /usr/lib/locale
selinux-policy-3.10.0-159.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-159.fc17
Package selinux-policy-3.10.0-159.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-159.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-17782/selinux-policy-3.10.0-159.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-159.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.