Bug 858235 - rhnsd: avc: denied { transition } for comm="rhn_check" scontext=unconfined_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:system_r:rpm_script_t:s0
rhnsd: avc: denied { transition } for comm="rhn_check" scontext=unconfined_...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.4
All Linux
high Severity high
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-18 07:59 EDT by Milan Zazrivec
Modified: 2013-02-21 03:29 EST (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-166.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 03:29:16 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milan Zazrivec 2012-09-18 07:59:58 EDT
Description of problem:
As things are, rhnsd in RHEL-6.4 runs as rhsmcertd_t (Why rhsmcertd_t anyway?
rhnsd and rhsm are different things really) and produces the following
denial when attempting to install a package (previously scheduled action):

type=AVC msg=audit(1347930972.794:18394): avc:  denied  { transition } for  pid=6780 comm="rhn_check" path="/bin/bash" dev=dm-0 ino=29780 scontext=unconfined_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:system_r:rpm_script_t:s0 tclass=process

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-162.el6

How reproducible:
Always

Steps to Reproduce:
1. RHEL-6.4, registered to RHN / RHN Satellite, running rhnsd
2. Schedule a package installation
3. Wait for rhnsd to wake up and run rhn_check
  
Actual results:
The SELinux denial above.

Expected results:
No denials.

Additional info:
N/A
Comment 1 Jan Pazdziora 2012-09-18 08:56:08 EDT
I believe confining rhnsd is not a RHEL 6.4 material and the labelling should be reverted in selinux-policy. We should see the change in Fedora for some time before potentially breaking the way our customers deploy package updates to their RHEL machines.
Comment 2 Daniel Walsh 2012-09-18 09:42:07 EDT
	unconfined_domain(rhsmcertd_t)


Is in RHEL6.4

/usr/bin/rhsmcertd		--	gen_context(system_u:object_r:rhsmcertd_exec_t,s0)

Must be running rhn_check.

Miroslav we should have

rpm_domtrans(rhsmcertd_t)
Comment 3 Milan Zazrivec 2012-09-18 09:58:58 EDT
I still don't understand -- and would very much like to have it answered --
why rhnsd (part of rhn-client-tools) should run under rhsmcertd_t (judging
by the name a type created for subscription-manager -- a different package
doing different things).

/usr/bin/rhsmcertd certainly does not execute rhn_check as comment #2 suggests.

It's the rhnsd daemon that executes rhn_check. In the current setup, adding

    rpm_domtrans(rhsmcertd_t)

would allow it for both rhnsd and subscription-manager, even if the later one
may not need it at all.

Thanks.
Comment 4 Daniel Walsh 2012-09-18 11:25:38 EDT
I do not know.  I don't see that in Fedora.  Miroslav?
Comment 5 Miroslav Grepl 2012-09-18 15:27:01 EDT
We have already discussed this issue.

The original bug is

https://bugzilla.redhat.com/show_bug.cgi?id=834994

I decided to treat rhnsd policy with rhsmcertd policy.


Now I see we should have the rhnsd policy and this policy should have

rpm_domtrans(rhnsd_t)

This is also reason why we have "TestOnly bugs" 

https://bugzilla.redhat.com/show_bug.cgi?id=846002

to find these issues in this RHEL6 phase when we have a time to fix it.

Thank you guys for testing. Will do a new RHEL6 build with a new policy soon.

Now just execute 

# chcon -t bin_t /usr/sbin/rhnsd
Comment 9 errata-xmlrpc 2013-02-21 03:29:16 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html

Note You need to log in before you can comment on or make changes to this bug.