1176078 – rhsmd send signull to subscription-manager-gui but that is denied by selinux-policy

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1176078 - rhsmd send signull to subscription-manager-gui but that is denied by selinux-policy

Summary: rhsmd send signull to subscription-manager-gui but that is denied by selinux-...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	rhsm-rhel72
TreeView+	depends on / blocked

Reported:	2014-12-19 11:01 UTC by Patrik Kis
Modified:	2019-08-15 04:09 UTC (History)
CC List:	12 users (show)
Fixed In Version:	selinux-policy-3.13.1-50.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 10:24:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2300	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2015-11-19 09:55:26 UTC

Description Patrik Kis 2014-12-19 11:01:06 UTC

Description of problem:
rhsmd attempts to send signull to subscription-manager-gui (running under unconfined context because launched by admin), but that is prevented by selinux-policy

type=OBJ_PID msg=audit(12/19/2014 05:30:54.158:731) : opid=25110 oauid=unset ouid=root oses=-1 obj=system_u:system_r:unconfined_service_t:s0 ocomm=subscription-ma 
type=SYSCALL msg=audit(12/19/2014 05:30:54.158:731) : arch=x86_64 syscall=kill success=no exit=-13(Permission denied) a0=0x6216 a1=SIG0 a2=0x62be a3=0x0 items=0 ppid=1 pid=25278 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmd exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 key=KILL 
type=AVC msg=audit(12/19/2014 05:30:54.158:731) : avc:  denied  { signull } for  pid=25278 comm=rhsmd scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process 

I think rhsmd should not send signull to subscription-manager-gui, as it will be probably always running under unconfined context, and apparently it does not really need the information if the gui is running or not as it's been always blocked so it got no result.

Other solution would be to allow this operation or add it to don't audit rules, so CC-ing selinux-devels. But IMHO, rhsmd simply should not check if gui is running or not (why a daemon should do that, anyhow?).

Version-Release number of selected component (if applicable):
subscription-manager-1.13.12-1.el7
selinux-policy-targeted-3.13.1-14.el7
selinux-policy-3.13.1-14.el7

How reproducible:
always

Steps to Reproduce:
Detailed reproducer will follow.

Comment 1 Rehana 2014-12-19 11:17:38 UTC

Steps to reproduce:

testmachine backgroud:
Physical machine
rhsm.conf file had follwing values set
certCheckInterval = 2
autoAttachInterval = 3

Virt-who and docker installed and running

From host
Launch subscription-manager-gui from Applications --> System Tools --> Red Hat subscription Manager

AVC denail is observed after subscription-manager-gui launch

# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 0.9.26.6-1
subscription management rules: 5.12
subscription-manager: 1.13.12-1.el7
python-rhsm: 1.13.8-1.el7

Comment 2 Adrian Likins 2015-04-24 17:14:02 UTC

subman's lock.py seems to be the root of this. It tries to create a lock around /var/runs/rhsm/cert.pid, which rhsmdcerd-worker or subscription-manager[-gui] can hold. If either can't acquire it, they try to os.kill(pid_holding_lock, 0). 

As far as I can tell, either should only hold the lock when running some action (updating certs or repos, etc).

rhsmcertd will start a rhsmcertd-worker.py process at certCheckInterval and autoAttachInterval, which eventually will grab the lock around /var/runs/rhsm/cert.pid, as will subscription-manager-gui if it updates certs.

rhsmcertd/rhsmcertd-worker could skip the the os.kill(sub_man_gui.pid, 0), but it could be a bit stuck if the lock isn't cleaned up (though it seems to be pretty good about that).

Comment 3 Adrian Likins 2015-04-24 17:41:19 UTC

fwiw, the signull/locking is to prevent them from clobbering when writing out ent certs or redhat.repo. Both should have priv to do it. 

The gui should only hold that lock for a few seconds, and only when actively updating certs/repos. If that lock exists for longer than that, something else is also broken.

Comment 4 Miroslav Grepl 2015-04-27 09:03:51 UTC

unconfined_service_t is a domain type for a service running without confinement. 

Patrik,
what does

# ps -efZ |grep unconfined_service

during the test.

Comment 6 Rehana 2015-04-27 11:30:48 UTC

Sure, Reproduced the denial 



# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
----
type=SYSCALL msg=audit(04/27/2015 07:18:00.241:195) : arch=x86_64 syscall=kill success=no exit=-13(Permission denied) a0=0x4158 a1=SIG0 a2=0x4186 a3=0x0 items=0 ppid=16625 pid=16774 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) 
type=AVC msg=audit(04/27/2015 07:18:00.241:195) : avc:  denied  { signull } for  pid=16774 comm=rhsmcertd-worke scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process 
----
type=SYSCALL msg=audit(04/27/2015 07:20:00.258:196) : arch=x86_64 syscall=kill success=no exit=-13(Permission denied) a0=0x41b2 a1=SIG0 a2=0x41e5 a3=0x0 items=0 ppid=16625 pid=16869 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) 
type=AVC msg=audit(04/27/2015 07:20:00.258:196) : avc:  denied  { signull } for  pid=16869 comm=rhsmcertd-worke scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process




[root@hp-xw8400-01 Desktop]# ps -efZ |grep unconfined_service
system_u:system_r:unconfined_service_t:s0 root 5046 1  0 06:24 ?       00:00:00 /usr/bin/python /usr/bin/beah-srv
system_u:system_r:unconfined_service_t:s0 root 5047 1  0 06:24 ?       00:00:00 /usr/bin/python /usr/bin/beah-beaker-backend
system_u:system_r:unconfined_service_t:s0 root 5048 1  0 06:24 ?       00:00:00 /usr/bin/python /usr/bin/beah-fwd-backend
system_u:system_r:unconfined_service_t:s0 root 9881 5046  0 06:25 ?    00:00:00 /usr/bin/python /usr/bin/beah-rhts-task
system_u:system_r:unconfined_service_t:s0 root 15920 1  0 06:59 ?      00:00:10 /usr/bin/Xvnc :2 -desktop hp-xw8400-01.rhts.eng.bos.redhat.com:2 (root) -auth /root/.Xauthority -geometry 1024x768 -rfbwait 30000 -rfbauth /root/.vnc/passwd -rfbport 5902 -fp catalogue:/etc/X11/fontpath.d -pn
system_u:system_r:unconfined_service_t:s0 root 15934 1  0 06:59 ?      00:00:00 /usr/bin/vncconfig -iconic
system_u:system_r:unconfined_service_t:s0 root 15936 1  0 06:59 ?      00:00:00 /bin/gnome-session --session=gnome-classic
system_u:system_r:unconfined_service_t:s0 root 15944 1  0 06:59 ?      00:00:00 dbus-launch --sh-syntax --exit-with-session
system_u:system_r:unconfined_service_t:s0 root 15946 1  0 06:59 ?      00:00:00 /bin/dbus-daemon --fork --print-pid 4 --print-address 6 --session
system_u:system_r:unconfined_service_t:s0 root 16015 1  0 06:59 ?      00:00:00 /usr/libexec/imsettings-daemon
system_u:system_r:unconfined_service_t:s0 root 16018 1  0 06:59 ?      00:00:00 /usr/libexec/gvfsd
system_u:system_r:unconfined_service_t:s0 root 16022 1  0 06:59 ?      00:00:00 /usr/libexec//gvfsd-fuse /run/user/0/gvfs -f -o big_writes
system_u:system_r:unconfined_service_t:s0 root 16064 15936  0 06:59 ?  00:00:00 /usr/bin/ssh-agent /etc/X11/xinit/Xclients
system_u:system_r:unconfined_service_t:s0 root 16069 1  0 06:59 ?      00:00:00 /usr/libexec/at-spi-bus-launcher
system_u:system_r:unconfined_service_t:s0 root 16073 16069  0 06:59 ?  00:00:00 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf --nofork --print-address 3
system_u:system_r:unconfined_service_t:s0 root 16077 1  0 06:59 ?      00:00:00 /usr/libexec/at-spi2-registryd --use-gnome-session
system_u:system_r:unconfined_service_t:s0 root 16099 15936  0 06:59 ?  00:00:00 /usr/libexec/gnome-settings-daemon
system_u:system_r:unconfined_service_t:s0 root 16107 1  0 06:59 ?      00:00:00 /usr/bin/pulseaudio --start
system_u:system_r:unconfined_service_t:s0 root 16110 1  0 06:59 ?      00:00:00 /usr/bin/gnome-keyring-daemon --start --components=gpg
system_u:system_r:unconfined_service_t:s0 root 16128 1  0 06:59 ?      00:00:00 /usr/libexec/dconf-service
system_u:system_r:unconfined_service_t:s0 root 16132 1  0 06:59 ?      00:00:00 /usr/libexec/gvfs-udisks2-volume-monitor
system_u:system_r:unconfined_service_t:s0 root 16137 1  0 06:59 ?      00:00:00 /usr/libexec/gvfs-afc-volume-monitor
system_u:system_r:unconfined_service_t:s0 root 16142 1  0 06:59 ?      00:00:00 /usr/libexec/gvfs-goa-volume-monitor
system_u:system_r:unconfined_service_t:s0 root 16145 1  0 06:59 ?      00:00:00 /usr/libexec/goa-daemon
system_u:system_r:unconfined_service_t:s0 root 16152 1  0 06:59 ?      00:00:00 /usr/libexec/goa-identity-service
system_u:system_r:unconfined_service_t:s0 root 16155 1  0 06:59 ?      00:00:00 /usr/libexec/gvfs-mtp-volume-monitor
system_u:system_r:unconfined_service_t:s0 root 16161 1  0 06:59 ?      00:00:00 /usr/libexec/gvfs-gphoto2-volume-monitor
system_u:system_r:unconfined_service_t:s0 root 16164 15936 12 06:59 ?  00:02:48 /usr/bin/gnome-shell
system_u:system_r:unconfined_service_t:s0 root 16167 1  0 06:59 ?      00:00:00 /usr/libexec/gsd-printer
system_u:system_r:unconfined_service_t:s0 root 16187 1  0 06:59 ?      00:00:00 /usr/bin/ibus-daemon --replace --xim --panel disable
system_u:system_r:unconfined_service_t:s0 root 16191 16187  0 06:59 ?  00:00:00 /usr/libexec/ibus-dconf
system_u:system_r:unconfined_service_t:s0 root 16193 1  0 06:59 ?      00:00:00 /usr/libexec/ibus-x11 --kill-daemon
system_u:system_r:unconfined_service_t:s0 root 16205 1  0 06:59 ?      00:00:00 /usr/libexec/gnome-shell-calendar-server
system_u:system_r:unconfined_service_t:s0 root 16211 1  0 06:59 ?      00:00:00 /usr/libexec/evolution-source-registry
system_u:system_r:unconfined_service_t:s0 root 16214 1  0 06:59 ?      00:00:00 /usr/libexec/mission-control-5
system_u:system_r:unconfined_service_t:s0 root 16223 1  0 06:59 ?      00:00:00 /usr/bin/nautilus --no-default-window
system_u:system_r:unconfined_service_t:s0 root 16246 1  0 06:59 ?      00:00:00 /usr/libexec/evolution-addressbook-factory
system_u:system_r:unconfined_service_t:s0 root 16253 1  0 06:59 ?      00:00:00 /usr/libexec/gconfd-2
system_u:system_r:unconfined_service_t:s0 root 16260 1  0 06:59 ?      00:00:00 /usr/libexec/evolution-calendar-factory
system_u:system_r:unconfined_service_t:s0 root 16266 1  0 06:59 ?      00:00:00 /usr/libexec/gvfsd-trash --spawner :1.4 /org/gtk/gvfs/exec_spaw/0
system_u:system_r:unconfined_service_t:s0 root 16267 15936  0 06:59 ?  00:00:00 abrt-applet
system_u:system_r:unconfined_service_t:s0 root 16271 15936  0 06:59 ?  00:00:00 rhsm-icon
system_u:system_r:unconfined_service_t:s0 root 16274 1  0 06:59 ?      00:00:01 /usr/libexec/tracker-store
system_u:system_r:unconfined_service_t:s0 root 16276 15936  0 06:59 ?  00:00:00 /usr/bin/seapplet
system_u:system_r:unconfined_service_t:s0 root 16283 16187  0 06:59 ?  00:00:00 /usr/libexec/ibus-engine-simple
system_u:system_r:unconfined_service_t:s0 root 16294 15936  0 06:59 ?  00:00:00 /usr/libexec/tracker-miner-fs
system_u:system_r:unconfined_service_t:s0 root 16495 1  0 07:07 ?      00:00:01 /usr/libexec/gnome-terminal-server
system_u:system_r:unconfined_service_t:s0 root 16498 16495  0 07:07 ?  00:00:00 gnome-pty-helper
system_u:system_r:unconfined_service_t:s0 root 16499 16495  0 07:07 pts/1 00:00:00 /bin/bash
system_u:system_r:unconfined_service_t:s0 root 16682 16499  0 07:15 pts/1 00:00:00 tail -f /var/log/rhsm/rhsmcertd.log
system_u:system_r:unconfined_service_t:s0 root 16688 16495  0 07:16 pts/2 00:00:00 bash
system_u:system_r:unconfined_service_t:s0 root 16818 16164  1 07:19 ?  00:00:01 /usr/bin/python /sbin/subscription-manager-gui
system_u:system_r:unconfined_service_t:s0 root 16902 16688  0 07:21 pts/2 00:00:00 ps -efZ
system_u:system_r:unconfined_service_t:s0 root 16903 16688  0 07:21 pts/2 00:00:00 grep --color=auto unconfined_service
[root@hp-xw8400-01 Desktop]#

Comment 7 Milos Malik 2015-04-27 12:33:46 UTC

Wow! So many processes running as unconfined_service_t.

Comment 8 Adrian Likins 2015-04-27 18:31:39 UTC

I think it should be okay for rhsmcertd to signull subscription-manager-gui (though I don't entirely understand the implications).

Is this something we can change in the policy specifically for rhsmcertd/subscription-manager-gui without changing unconfined_service_t?

The locking for rhsmcertd could be changed so it doesn't attempt to signull other pids, but that code has been relatively robust so far, so I'd prefer to not have to change it.

Bounding to policy to see if this is something we can special case subscription-manager-gui/rhsmcertd for.

[That said, if cli 'subscription-manager' is running,it likely also holds the lock and would show the same issue, just less likely to happen].

Comment 9 Miroslav Grepl 2015-04-27 18:43:58 UTC

(In reply to Rehana from comment #6)
> Sure, Reproduced the denial 
> 
> 
> 
> # ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
> ----
> type=SYSCALL msg=audit(04/27/2015 07:18:00.241:195) : arch=x86_64
> syscall=kill success=no exit=-13(Permission denied) a0=0x4158 a1=SIG0
> a2=0x4186 a3=0x0 items=0 ppid=16625 pid=16774 auid=unset uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
> ses=unset comm=rhsmcertd-worke exe=/usr/bin/python2.7
> subj=system_u:system_r:rhsmcertd_t:s0 key=(null) 
> type=AVC msg=audit(04/27/2015 07:18:00.241:195) : avc:  denied  { signull }
> for  pid=16774 comm=rhsmcertd-worke
> scontext=system_u:system_r:rhsmcertd_t:s0
> tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process 
> ----
> type=SYSCALL msg=audit(04/27/2015 07:20:00.258:196) : arch=x86_64
> syscall=kill success=no exit=-13(Permission denied) a0=0x41b2 a1=SIG0
> a2=0x41e5 a3=0x0 items=0 ppid=16625 pid=16869 auid=unset uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
> ses=unset comm=rhsmcertd-worke exe=/usr/bin/python2.7
> subj=system_u:system_r:rhsmcertd_t:s0 key=(null) 
> type=AVC msg=audit(04/27/2015 07:20:00.258:196) : avc:  denied  { signull }
> for  pid=16869 comm=rhsmcertd-worke
> scontext=system_u:system_r:rhsmcertd_t:s0
> tcontext=system_u:system_r:unconfined_service_t:s0 tclass=process
> 
> 
> 
> 
> [root@hp-xw8400-01 Desktop]# ps -efZ |grep unconfined_service
> system_u:system_r:unconfined_service_t:s0 root 5046 1  0 06:24 ?      
> 00:00:00 /usr/bin/python /usr/bin/beah-srv
> system_u:system_r:unconfined_service_t:s0 root 5047 1  0 06:24 ?      
> 00:00:00 /usr/bin/python /usr/bin/beah-beaker-backend
> system_u:system_r:unconfined_service_t:s0 root 5048 1  0 06:24 ?      
> 00:00:00 /usr/bin/python /usr/bin/beah-fwd-backend
> system_u:system_r:unconfined_service_t:s0 root 9881 5046  0 06:25 ?   
> 00:00:00 /usr/bin/python /usr/bin/beah-rhts-task
> system_u:system_r:unconfined_service_t:s0 root 15920 1  0 06:59 ?     
> 00:00:10 /usr/bin/Xvnc :2 -desktop hp-xw8400-01.rhts.eng.bos.redhat.com:2
> (root) -auth /root/.Xauthority -geometry 1024x768 -rfbwait 30000 -rfbauth
> /root/.vnc/passwd -rfbport 5902 -fp catalogue:/etc/X11/fontpath.d -pn
> system_u:system_r:unconfined_service_t:s0 root 15934 1  0 06:59 ?     
> 00:00:00 /usr/bin/vncconfig -iconic
> system_u:system_r:unconfined_service_t:s0 root 15936 1  0 06:59 ?     
> 00:00:00 /bin/gnome-session --session=gnome-classic
> system_u:system_r:unconfined_service_t:s0 root 15944 1  0 06:59 ?     
> 00:00:00 dbus-launch --sh-syntax --exit-with-session
> system_u:system_r:unconfined_service_t:s0 root 15946 1  0 06:59 ?     
> 00:00:00 /bin/dbus-daemon --fork --print-pid 4 --print-address 6 --session
> system_u:system_r:unconfined_service_t:s0 root 16015 1  0 06:59 ?     
> 00:00:00 /usr/libexec/imsettings-daemon
> system_u:system_r:unconfined_service_t:s0 root 16018 1  0 06:59 ?     
> 00:00:00 /usr/libexec/gvfsd
> system_u:system_r:unconfined_service_t:s0 root 16022 1  0 06:59 ?     
> 00:00:00 /usr/libexec//gvfsd-fuse /run/user/0/gvfs -f -o big_writes
> system_u:system_r:unconfined_service_t:s0 root 16064 15936  0 06:59 ? 
> 00:00:00 /usr/bin/ssh-agent /etc/X11/xinit/Xclients
> system_u:system_r:unconfined_service_t:s0 root 16069 1  0 06:59 ?     
> 00:00:00 /usr/libexec/at-spi-bus-launcher
> system_u:system_r:unconfined_service_t:s0 root 16073 16069  0 06:59 ? 
> 00:00:00 /bin/dbus-daemon --config-file=/etc/at-spi2/accessibility.conf
> --nofork --print-address 3
> system_u:system_r:unconfined_service_t:s0 root 16077 1  0 06:59 ?     
> 00:00:00 /usr/libexec/at-spi2-registryd --use-gnome-session
> system_u:system_r:unconfined_service_t:s0 root 16099 15936  0 06:59 ? 
> 00:00:00 /usr/libexec/gnome-settings-daemon
> system_u:system_r:unconfined_service_t:s0 root 16107 1  0 06:59 ?     
> 00:00:00 /usr/bin/pulseaudio --start
> system_u:system_r:unconfined_service_t:s0 root 16110 1  0 06:59 ?     
> 00:00:00 /usr/bin/gnome-keyring-daemon --start --components=gpg
> system_u:system_r:unconfined_service_t:s0 root 16128 1  0 06:59 ?     
> 00:00:00 /usr/libexec/dconf-service
> system_u:system_r:unconfined_service_t:s0 root 16132 1  0 06:59 ?     
> 00:00:00 /usr/libexec/gvfs-udisks2-volume-monitor
> system_u:system_r:unconfined_service_t:s0 root 16137 1  0 06:59 ?     
> 00:00:00 /usr/libexec/gvfs-afc-volume-monitor
> system_u:system_r:unconfined_service_t:s0 root 16142 1  0 06:59 ?     
> 00:00:00 /usr/libexec/gvfs-goa-volume-monitor
> system_u:system_r:unconfined_service_t:s0 root 16145 1  0 06:59 ?     
> 00:00:00 /usr/libexec/goa-daemon
> system_u:system_r:unconfined_service_t:s0 root 16152 1  0 06:59 ?     
> 00:00:00 /usr/libexec/goa-identity-service
> system_u:system_r:unconfined_service_t:s0 root 16155 1  0 06:59 ?     
> 00:00:00 /usr/libexec/gvfs-mtp-volume-monitor
> system_u:system_r:unconfined_service_t:s0 root 16161 1  0 06:59 ?     
> 00:00:00 /usr/libexec/gvfs-gphoto2-volume-monitor
> system_u:system_r:unconfined_service_t:s0 root 16164 15936 12 06:59 ? 
> 00:02:48 /usr/bin/gnome-shell
> system_u:system_r:unconfined_service_t:s0 root 16167 1  0 06:59 ?     
> 00:00:00 /usr/libexec/gsd-printer
> system_u:system_r:unconfined_service_t:s0 root 16187 1  0 06:59 ?     
> 00:00:00 /usr/bin/ibus-daemon --replace --xim --panel disable
> system_u:system_r:unconfined_service_t:s0 root 16191 16187  0 06:59 ? 
> 00:00:00 /usr/libexec/ibus-dconf
> system_u:system_r:unconfined_service_t:s0 root 16193 1  0 06:59 ?     
> 00:00:00 /usr/libexec/ibus-x11 --kill-daemon
> system_u:system_r:unconfined_service_t:s0 root 16205 1  0 06:59 ?     
> 00:00:00 /usr/libexec/gnome-shell-calendar-server
> system_u:system_r:unconfined_service_t:s0 root 16211 1  0 06:59 ?     
> 00:00:00 /usr/libexec/evolution-source-registry
> system_u:system_r:unconfined_service_t:s0 root 16214 1  0 06:59 ?     
> 00:00:00 /usr/libexec/mission-control-5
> system_u:system_r:unconfined_service_t:s0 root 16223 1  0 06:59 ?     
> 00:00:00 /usr/bin/nautilus --no-default-window
> system_u:system_r:unconfined_service_t:s0 root 16246 1  0 06:59 ?     
> 00:00:00 /usr/libexec/evolution-addressbook-factory
> system_u:system_r:unconfined_service_t:s0 root 16253 1  0 06:59 ?     
> 00:00:00 /usr/libexec/gconfd-2
> system_u:system_r:unconfined_service_t:s0 root 16260 1  0 06:59 ?     
> 00:00:00 /usr/libexec/evolution-calendar-factory
> system_u:system_r:unconfined_service_t:s0 root 16266 1  0 06:59 ?     
> 00:00:00 /usr/libexec/gvfsd-trash --spawner :1.4 /org/gtk/gvfs/exec_spaw/0
> system_u:system_r:unconfined_service_t:s0 root 16267 15936  0 06:59 ? 
> 00:00:00 abrt-applet
> system_u:system_r:unconfined_service_t:s0 root 16271 15936  0 06:59 ? 
> 00:00:00 rhsm-icon
> system_u:system_r:unconfined_service_t:s0 root 16274 1  0 06:59 ?     
> 00:00:01 /usr/libexec/tracker-store
> system_u:system_r:unconfined_service_t:s0 root 16276 15936  0 06:59 ? 
> 00:00:00 /usr/bin/seapplet
> system_u:system_r:unconfined_service_t:s0 root 16283 16187  0 06:59 ? 
> 00:00:00 /usr/libexec/ibus-engine-simple
> system_u:system_r:unconfined_service_t:s0 root 16294 15936  0 06:59 ? 
> 00:00:00 /usr/libexec/tracker-miner-fs
> system_u:system_r:unconfined_service_t:s0 root 16495 1  0 07:07 ?     
> 00:00:01 /usr/libexec/gnome-terminal-server
> system_u:system_r:unconfined_service_t:s0 root 16498 16495  0 07:07 ? 
> 00:00:00 gnome-pty-helper
> system_u:system_r:unconfined_service_t:s0 root 16499 16495  0 07:07 pts/1
> 00:00:00 /bin/bash
> system_u:system_r:unconfined_service_t:s0 root 16682 16499  0 07:15 pts/1
> 00:00:00 tail -f /var/log/rhsm/rhsmcertd.log
> system_u:system_r:unconfined_service_t:s0 root 16688 16495  0 07:16 pts/2
> 00:00:00 bash
> system_u:system_r:unconfined_service_t:s0 root 16818 16164  1 07:19 ? 
> 00:00:01 /usr/bin/python /sbin/subscription-manager-gui
> system_u:system_r:unconfined_service_t:s0 root 16902 16688  0 07:21 pts/2
> 00:00:00 ps -efZ
> system_u:system_r:unconfined_service_t:s0 root 16903 16688  0 07:21 pts/2
> 00:00:00 grep --color=auto unconfined_service
> [root@hp-xw8400-01 Desktop]#

This is a problem with Xvnc.

Could you try to test it without Xvnc?

Comment 10 Rehana 2015-04-28 08:05:03 UTC

root@dhcp71-18 Desktop]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
----
type=SYSCALL msg=audit(04/28/2015 03:10:20.329:6540) : arch=x86_64 syscall=kill success=no exit=-13(Permission denied) a0=0x39a a1=SIG0 a2=0x39b a3=0x0 items=0 ppid=396 pid=923 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) 
type=AVC msg=audit(04/28/2015 03:10:20.329:6540) : avc:  denied  { signull } for  pid=923 comm=rhsmcertd-worke scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 tclass=process 

[root@dhcp71-18 Desktop]# ps -efZ| grep unconfined_service
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2336 32743  0 03:42 pts/1 00:00:00 grep --color=auto unconfined_service

Reproduced above failure on Guest machine ( without using Xvnc). 

note: 
AVC denials Not always reproducible on guest machine when compared with physical machine..i m not sure if that's related or not

Comment 11 Lukas Vrabec 2015-08-04 13:07:46 UTC

Hi, 

So what is solution? Allow it or dontaudit?

Comment 12 Patrik Kis 2015-08-04 15:55:54 UTC

(In reply to Lukas Vrabec from comment #11)
> Hi, 
> 
> So what is solution? Allow it or dontaudit?

I don't think I'm the right person who should decide this (I barely know anything about rhsmd and co.).

Adrian says they'd like to let their program sending signull, and I think it's up to you selinux-policy developers to decide if this is a legitimate action or not. If yes, I believe you should allow it, if not but it's a sort of "common practice" and does not violate any security issue, probably donataudit.

Comment 13 Miroslav Grepl 2015-08-05 07:36:16 UTC

We have more problems here. We have services running as unconfined_service_t. I don't see any security issue with signull for 

system_u:system_r:unconfined_service_t:s0 root 16818 16164  1 07:19 ?  00:00:01 /usr/bin/python /sbin/subscription-manager-gui

We are not going to confined it in 7.2. But we should open a new bug for 7.3 to play around it.

So let's allow signull for now.

Comment 14 Lukas Vrabec 2015-08-05 12:29:11 UTC

commit 5cd81793cf5bab971eb68b3dff6236b4ecf83453
Author: Lukas Vrabec <lvrabec>
Date:   Wed Aug 5 13:18:22 2015 +0200

    Allow rhsmcertd to send signull to unconfined_service.

Comment 20 errata-xmlrpc 2015-11-19 10:24:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html

Note You need to log in before you can comment on or make changes to this bug.