Bug 858235 - rhnsd: avc: denied { transition } for comm="rhn_check" scontext=unconfined_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:system_r:rpm_script_t:s0
Summary: rhnsd: avc: denied { transition } for comm="rhn_check" scontext=unconfined_...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.4
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-09-18 11:59 UTC by Milan Zázrivec
Modified: 2013-02-21 08:29 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.7.19-166.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-02-21 08:29:16 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0314 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-02-20 20:35:01 UTC

Description Milan Zázrivec 2012-09-18 11:59:58 UTC
Description of problem:
As things are, rhnsd in RHEL-6.4 runs as rhsmcertd_t (Why rhsmcertd_t anyway?
rhnsd and rhsm are different things really) and produces the following
denial when attempting to install a package (previously scheduled action):

type=AVC msg=audit(1347930972.794:18394): avc:  denied  { transition } for  pid=6780 comm="rhn_check" path="/bin/bash" dev=dm-0 ino=29780 scontext=unconfined_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:system_r:rpm_script_t:s0 tclass=process

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-162.el6

How reproducible:
Always

Steps to Reproduce:
1. RHEL-6.4, registered to RHN / RHN Satellite, running rhnsd
2. Schedule a package installation
3. Wait for rhnsd to wake up and run rhn_check
  
Actual results:
The SELinux denial above.

Expected results:
No denials.

Additional info:
N/A

Comment 1 Jan Pazdziora 2012-09-18 12:56:08 UTC
I believe confining rhnsd is not a RHEL 6.4 material and the labelling should be reverted in selinux-policy. We should see the change in Fedora for some time before potentially breaking the way our customers deploy package updates to their RHEL machines.

Comment 2 Daniel Walsh 2012-09-18 13:42:07 UTC
	unconfined_domain(rhsmcertd_t)


Is in RHEL6.4

/usr/bin/rhsmcertd		--	gen_context(system_u:object_r:rhsmcertd_exec_t,s0)

Must be running rhn_check.

Miroslav we should have

rpm_domtrans(rhsmcertd_t)

Comment 3 Milan Zázrivec 2012-09-18 13:58:58 UTC
I still don't understand -- and would very much like to have it answered --
why rhnsd (part of rhn-client-tools) should run under rhsmcertd_t (judging
by the name a type created for subscription-manager -- a different package
doing different things).

/usr/bin/rhsmcertd certainly does not execute rhn_check as comment #2 suggests.

It's the rhnsd daemon that executes rhn_check. In the current setup, adding

    rpm_domtrans(rhsmcertd_t)

would allow it for both rhnsd and subscription-manager, even if the later one
may not need it at all.

Thanks.

Comment 4 Daniel Walsh 2012-09-18 15:25:38 UTC
I do not know.  I don't see that in Fedora.  Miroslav?

Comment 5 Miroslav Grepl 2012-09-18 19:27:01 UTC
We have already discussed this issue.

The original bug is

https://bugzilla.redhat.com/show_bug.cgi?id=834994

I decided to treat rhnsd policy with rhsmcertd policy.


Now I see we should have the rhnsd policy and this policy should have

rpm_domtrans(rhnsd_t)

This is also reason why we have "TestOnly bugs" 

https://bugzilla.redhat.com/show_bug.cgi?id=846002

to find these issues in this RHEL6 phase when we have a time to fix it.

Thank you guys for testing. Will do a new RHEL6 build with a new policy soon.

Now just execute 

# chcon -t bin_t /usr/sbin/rhnsd

Comment 9 errata-xmlrpc 2013-02-21 08:29:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html


Note You need to log in before you can comment on or make changes to this bug.