Bug 858235 - rhnsd: avc: denied { transition } for comm="rhn_check" scontext=unconfined_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:system_r:rpm_script_t:s0
rhnsd: avc: denied { transition } for comm="rhn_check" scontext=unconfined_...
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
high Severity high
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
Depends On:
  Show dependency treegraph
Reported: 2012-09-18 07:59 EDT by Milan Zázrivec
Modified: 2013-02-21 03:29 EST (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-166.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-02-21 03:29:16 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Milan Zázrivec 2012-09-18 07:59:58 EDT
Description of problem:
As things are, rhnsd in RHEL-6.4 runs as rhsmcertd_t (Why rhsmcertd_t anyway?
rhnsd and rhsm are different things really) and produces the following
denial when attempting to install a package (previously scheduled action):

type=AVC msg=audit(1347930972.794:18394): avc:  denied  { transition } for  pid=6780 comm="rhn_check" path="/bin/bash" dev=dm-0 ino=29780 scontext=unconfined_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:system_r:rpm_script_t:s0 tclass=process

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. RHEL-6.4, registered to RHN / RHN Satellite, running rhnsd
2. Schedule a package installation
3. Wait for rhnsd to wake up and run rhn_check
Actual results:
The SELinux denial above.

Expected results:
No denials.

Additional info:
Comment 1 Jan Pazdziora 2012-09-18 08:56:08 EDT
I believe confining rhnsd is not a RHEL 6.4 material and the labelling should be reverted in selinux-policy. We should see the change in Fedora for some time before potentially breaking the way our customers deploy package updates to their RHEL machines.
Comment 2 Daniel Walsh 2012-09-18 09:42:07 EDT

Is in RHEL6.4

/usr/bin/rhsmcertd		--	gen_context(system_u:object_r:rhsmcertd_exec_t,s0)

Must be running rhn_check.

Miroslav we should have

Comment 3 Milan Zázrivec 2012-09-18 09:58:58 EDT
I still don't understand -- and would very much like to have it answered --
why rhnsd (part of rhn-client-tools) should run under rhsmcertd_t (judging
by the name a type created for subscription-manager -- a different package
doing different things).

/usr/bin/rhsmcertd certainly does not execute rhn_check as comment #2 suggests.

It's the rhnsd daemon that executes rhn_check. In the current setup, adding


would allow it for both rhnsd and subscription-manager, even if the later one
may not need it at all.

Comment 4 Daniel Walsh 2012-09-18 11:25:38 EDT
I do not know.  I don't see that in Fedora.  Miroslav?
Comment 5 Miroslav Grepl 2012-09-18 15:27:01 EDT
We have already discussed this issue.

The original bug is


I decided to treat rhnsd policy with rhsmcertd policy.

Now I see we should have the rhnsd policy and this policy should have


This is also reason why we have "TestOnly bugs" 


to find these issues in this RHEL6 phase when we have a time to fix it.

Thank you guys for testing. Will do a new RHEL6 build with a new policy soon.

Now just execute 

# chcon -t bin_t /usr/sbin/rhnsd
Comment 9 errata-xmlrpc 2013-02-21 03:29:16 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.