1584255 – rhnsd scheduled rhn_check doesn't work on a targeted/enforcing SELinux system

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1584255 - rhnsd scheduled rhn_check doesn't work on a targeted/enforcing SELinux system

Summary: rhnsd scheduled rhn_check doesn't work on a targeted/enforcing SELinux system

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Spacewalk
Classification:	Community
Component:	Clients
Sub Component:
Version:	2.8
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Tomáš Kašpárek
QA Contact:	Red Hat Satellite QA List
Docs Contact:
URL:
Whiteboard:
Depends On:	1596509
Blocks:
TreeView+	depends on / blocked

Reported:	2018-05-30 14:53 UTC by Ilja Maslov
Modified:	2018-12-04 21:44 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-12-04 21:44:22 UTC
Embargoed:

Attachments	(Terms of Use)

Description Ilja Maslov 2018-05-30 14:53:02 UTC

Description of problem:

After upgrade of the client from 2.7 to 2.8 on CentOS 7.5 system, scheduled rhn_checks stopped working.

ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

----
type=PROCTITLE msg=audit(05/30/2018 12:27:16.310:313) : proctitle=/usr/bin/python /usr/sbin/rhn_check 
type=SYSCALL msg=audit(05/30/2018 12:27:16.310:313) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f2cdc950c5a a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=0 ppid=1136 pid=2275 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhn_check exe=/usr/bin/python2.7 subj=system_u:system_r:rhnsd_t:s0 key=(null) 
type=AVC msg=audit(05/30/2018 12:27:16.310:313) : avc:  denied  { read } for  pid=2275 comm=rhn_check name=meminfo dev="proc" ino=4026532028 scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file 
----
type=PROCTITLE msg=audit(05/30/2018 12:27:16.315:314) : proctitle=/usr/bin/python /usr/sbin/rhn_check 
type=SYSCALL msg=audit(05/30/2018 12:27:16.315:314) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x7f2cdc5be572 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=0 ppid=1136 pid=2275 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhn_check exe=/usr/bin/python2.7 subj=system_u:system_r:rhnsd_t:s0 key=(null) 
type=AVC msg=audit(05/30/2018 12:27:16.315:314) : avc:  denied  { read } for  pid=2275 comm=rhn_check name=passwd dev="vda1" ino=12690 scontext=system_u:system_r:rhnsd_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file 

Version-Release number of selected component (if applicable):

rhnlib-2.8.10-1.el7.centos.noarch
rhnsd-5.0.37-1.el7.centos.x86_64
rhn-check-2.8.26-1.el7.centos.noarch
python2-rhn-client-tools-2.8.26-1.el7.centos.noarch
python2-rhn-setup-2.8.26-1.el7.centos.noarch
rhn-setup-2.8.26-1.el7.centos.noarch
python2-rhn-check-2.8.26-1.el7.centos.noarch
rhn-org-trusted-ssl-cert-1.0-2.noarch
rhn-client-tools-2.8.26-1.el7.centos.noarch
yum-rhn-plugin-2.8.9-1.el7.centos.noarch

How reproducible:

Every SELinux enabled system

Steps to Reproduce:
1. Update CentOS 7 with 'yum distro-sync'
2. Install latest Spacewalk 2.8 client
3. Register with the Spacewalk
4. Verify that you can run rhn_check directly
5. After a few hours, verify that the system hasn't checked in
6. Run ausearch to get denials abot /proc/meminfo and /etc/passwd

Actual results:

Systems stop checking with Spacewalk

Expected results:

Systems continue checking with Spacewalk

Additional info:

Comment 1 Ilja Maslov 2018-06-06 09:47:40 UTC

It seems to work in my setting with the following additional SELinux policy:

module rhnsd_local 1.0;

require {
        type net_conf_t;
        type tmp_t;
        type rpm_log_t;
        type cert_t;
        type passwd_file_t;
        type proc_t;
        type rhnsd_t;
        class dir { read search };
        class file { getattr open read };
        class udp_socket { connect create };
}

#============= rhnsd_t ==============
allow rhnsd_t cert_t:dir search;
allow rhnsd_t cert_t:file { getattr open read };
allow rhnsd_t proc_t:file { getattr open read };
allow rhnsd_t passwd_file_t:file { getattr open read };
allow rhnsd_t net_conf_t:file { getattr open read };
allow rhnsd_t rpm_log_t:file open;
allow rhnsd_t self:udp_socket { create connect };
allow rhnsd_t tmp_t:dir read;

Comment 2 Mario Mikocevic 2018-06-11 12:27:00 UTC

->
# grep rhnsd /var/log/audit/audit.log | audit2allow
#============= rhnsd_t ==============
allow rhnsd_t passwd_file_t:file read;
allow rhnsd_t proc_t:file read;

Comment 3 Ilja Maslov 2018-06-11 15:54:59 UTC

It is more involved.  I have set policy to permissive and getting this now:

# grep rhnsd /var/log/audit/audit.log | audit2allow 

#============= rhnsd_t ==============
allow rhnsd_t cert_t:dir getattr;
allow rhnsd_t cert_t:dir { search write };
allow rhnsd_t cert_t:file { getattr lock open read write };
allow rhnsd_t http_port_t:tcp_socket name_connect;
allow rhnsd_t net_conf_t:file { getattr open read };
allow rhnsd_t passwd_file_t:file { getattr open read };
allow rhnsd_t proc_t:file { getattr open read };
allow rhnsd_t rpm_log_t:file open;
allow rhnsd_t rpm_var_cache_t:dir write;
allow rhnsd_t rpm_var_cache_t:file { open setattr };
allow rhnsd_t rpm_var_lib_t:dir { add_name open read remove_name write };
allow rhnsd_t rpm_var_lib_t:file { create open rename setattr unlink };
allow rhnsd_t self:tcp_socket { connect create getattr getopt setopt };
allow rhnsd_t self:udp_socket getattr;
allow rhnsd_t self:udp_socket { connect create };
allow rhnsd_t tmp_t:dir { read write };
allow rhnsd_t var_lib_t:file getattr;

When I'm trying to create corresponding policy, though, checkmodule complains (and I did add getattr to both dir and udp_socket):

# checkmodule -M -m -o rhnsd_local.mod rhnsd_local.te 

checkmodule:  loading policy configuration from rhnsd_local.te
rhnsd_local.te:22:ERROR 'permission getaddr is not defined for class dir' at token ';' on line 22:
allow rhnsd_t cert_t:dir { search getaddr write };
#============= rhnsd_t ==============
rhnsd_local.te:34:ERROR 'permission getattr is not defined for class udp_socket' at token ';' on line 34:
allow rhnsd_t self:udp_socket { create connect getattr };
allow rhnsd_t self:tcp_socket { create connect getattr getopt setopt };
checkmodule:  error(s) encountered while parsing configuration

Comment 4 Ilja Maslov 2018-06-12 15:11:23 UTC

With the module below in permissive mode, I'm not getting any new audit2allow lines, but switching to enforcing mode results in 'rpmdb open failed' for /var/lib/rpm/Providename in /var/log/up2date

rpm_var_lib_t:file in the policy below doesn't contain 'read' permission, but I have not seen SELinux complaining about it in the audit.log

Will keep digging today...

module rhnsd_local 1.0;

require {
	type net_conf_t;
	type cert_t;
	type rpm_var_lib_t;
	type var_lib_t;
	type tmp_t;
	type rpm_log_t;
	type passwd_file_t;
	type proc_t;
	type rpm_var_cache_t;
	type http_port_t;
	type rhnsd_t;
	class tcp_socket { connect create getattr getopt name_connect setopt };
	class dir { add_name getattr open read remove_name search write };
	class file { create getattr lock open read rename setattr unlink write };
	class udp_socket { connect create getattr };
}

#============= rhnsd_t ==============
allow rhnsd_t cert_t:dir { getattr search write };
allow rhnsd_t cert_t:file { getattr lock open read write };
allow rhnsd_t http_port_t:tcp_socket name_connect;
allow rhnsd_t net_conf_t:file { getattr open read };
allow rhnsd_t passwd_file_t:file { getattr open read };
allow rhnsd_t proc_t:file { getattr open read };
allow rhnsd_t rpm_log_t:file open;
allow rhnsd_t rpm_var_cache_t:dir write;
allow rhnsd_t rpm_var_cache_t:file { open setattr };
allow rhnsd_t rpm_var_lib_t:dir { add_name open read remove_name write };
allow rhnsd_t rpm_var_lib_t:file { create open rename setattr unlink };
allow rhnsd_t self:tcp_socket { connect create getattr getopt setopt };
allow rhnsd_t self:udp_socket { getattr connect create };
allow rhnsd_t self:udp_socket { connect create };
allow rhnsd_t tmp_t:dir { read write };
allow rhnsd_t var_lib_t:file getattr;

Comment 5 Ilja Maslov 2018-06-13 09:36:52 UTC

Well, missed search permission for rpm_var_lib_t:dir :)
Will update after the test run.

Comment 6 Matthew 2018-06-14 20:07:39 UTC

(In reply to Ilja Maslov from comment #5)
> Well, missed search permission for rpm_var_lib_t:dir :)
> Will update after the test run.

Ilja - was your comment (4) a custom SELinux module? Did that work to solve the problem until a bug fix patch comes out? 

We have hundreds of clients that are sporadically not checking in because of this, so I'm looking for a decent work around.

Comment 7 Mario Mikocevic 2018-06-15 12:26:55 UTC

This works for me ->

# getenforce
Enforcing

# cat rhn_check.te

module rhn_check 1.0;

require {
        type net_conf_t;
        type tmp_t;
        type cert_t;
        type lvm_exec_t;
        type var_run_t;
        type proc_t;
        type http_port_t;
        type rpm_log_t;
        type rpm_var_cache_t;
        type rpm_var_lib_t;
        type rpm_var_run_t;
        type passwd_file_t;
        type rhnsd_t;
        class dir { getattr read search write };
        class file { getattr lock open read write };
        class udp_socket { connect create };
        class tcp_socket { connect create read write name_connect };
}

#============= rhnsd_t ==============
allow rhnsd_t cert_t:dir search;
allow rhnsd_t cert_t:file { getattr open read };
allow rhnsd_t lvm_exec_t:file getattr;
allow rhnsd_t net_conf_t:file { getattr open read };
allow rhnsd_t passwd_file_t:file { getattr open read };
allow rhnsd_t proc_t:file { getattr open read };
allow rhnsd_t self:udp_socket { connect create };
allow rhnsd_t tmp_t:dir read;
allow rhnsd_t var_run_t:file { read write };
allow rhnsd_t rpm_log_t:file open;
allow rhnsd_t rpm_var_cache_t:dir { getattr search write };
allow rhnsd_t rpm_var_cache_t:file { open read write };
allow rhnsd_t rpm_var_lib_t:dir { getattr search };
allow rhnsd_t rpm_var_lib_t:file { getattr lock open read write };
allow rhnsd_t rpm_var_run_t:file { lock open read write };
allow rhnsd_t self:udp_socket create;
allow rhnsd_t self:tcp_socket { connect create read write };
allow rhnsd_t http_port_t:tcp_socket name_connect;

# checkmodule -M -m -o rhn_check.mod rhn_check.te
# semodule_package --module rhn_check.mod --outfile rhn_check.pp
# semodule --verbose --install=rhn_check.pp


some 'denied' still present (working on it) but at least GUI says that 'Server Status: System Checked In ..$RECENTDATE'

Comment 8 Matthew 2018-06-20 16:03:09 UTC

(In reply to Mario Mikocevic from comment #7)
> This works for me ->
> 
> # getenforce
> Enforcing
> 
> # cat rhn_check.te
> 
> module rhn_check 1.0;
> 
> require {
>         type net_conf_t;
>         type tmp_t;
>         type cert_t;
>         type lvm_exec_t;
>         type var_run_t;
>         type proc_t;
>         type http_port_t;
>         type rpm_log_t;
>         type rpm_var_cache_t;
>         type rpm_var_lib_t;
>         type rpm_var_run_t;
>         type passwd_file_t;
>         type rhnsd_t;
>         class dir { getattr read search write };
>         class file { getattr lock open read write };
>         class udp_socket { connect create };
>         class tcp_socket { connect create read write name_connect };
> }
> 
> #============= rhnsd_t ==============
> allow rhnsd_t cert_t:dir search;
> allow rhnsd_t cert_t:file { getattr open read };
> allow rhnsd_t lvm_exec_t:file getattr;
> allow rhnsd_t net_conf_t:file { getattr open read };
> allow rhnsd_t passwd_file_t:file { getattr open read };
> allow rhnsd_t proc_t:file { getattr open read };
> allow rhnsd_t self:udp_socket { connect create };
> allow rhnsd_t tmp_t:dir read;
> allow rhnsd_t var_run_t:file { read write };
> allow rhnsd_t rpm_log_t:file open;
> allow rhnsd_t rpm_var_cache_t:dir { getattr search write };
> allow rhnsd_t rpm_var_cache_t:file { open read write };
> allow rhnsd_t rpm_var_lib_t:dir { getattr search };
> allow rhnsd_t rpm_var_lib_t:file { getattr lock open read write };
> allow rhnsd_t rpm_var_run_t:file { lock open read write };
> allow rhnsd_t self:udp_socket create;
> allow rhnsd_t self:tcp_socket { connect create read write };
> allow rhnsd_t http_port_t:tcp_socket name_connect;
> 
> # checkmodule -M -m -o rhn_check.mod rhn_check.te
> # semodule_package --module rhn_check.mod --outfile rhn_check.pp
> # semodule --verbose --install=rhn_check.pp
> 
> 
> some 'denied' still present (working on it) but at least GUI says that
> 'Server Status: System Checked In ..$RECENTDATE'

thank you this seems to work for me as well!

Comment 9 Matthew 2018-06-20 16:03:47 UTC

Any update on if this is going to get some code/package fixes?

Comment 10 Matthew 2018-06-22 18:06:00 UTC

(In reply to Matthew from comment #8)
> (In reply to Mario Mikocevic from comment #7)
> > This works for me ->
> > 
> > # getenforce
> > Enforcing
> > 
> > # cat rhn_check.te
> > 
> > module rhn_check 1.0;
> > 
> > require {
> >         type net_conf_t;
> >         type tmp_t;
> >         type cert_t;
> >         type lvm_exec_t;
> >         type var_run_t;
> >         type proc_t;
> >         type http_port_t;
> >         type rpm_log_t;
> >         type rpm_var_cache_t;
> >         type rpm_var_lib_t;
> >         type rpm_var_run_t;
> >         type passwd_file_t;
> >         type rhnsd_t;
> >         class dir { getattr read search write };
> >         class file { getattr lock open read write };
> >         class udp_socket { connect create };
> >         class tcp_socket { connect create read write name_connect };
> > }
> > 
> > #============= rhnsd_t ==============
> > allow rhnsd_t cert_t:dir search;
> > allow rhnsd_t cert_t:file { getattr open read };
> > allow rhnsd_t lvm_exec_t:file getattr;
> > allow rhnsd_t net_conf_t:file { getattr open read };
> > allow rhnsd_t passwd_file_t:file { getattr open read };
> > allow rhnsd_t proc_t:file { getattr open read };
> > allow rhnsd_t self:udp_socket { connect create };
> > allow rhnsd_t tmp_t:dir read;
> > allow rhnsd_t var_run_t:file { read write };
> > allow rhnsd_t rpm_log_t:file open;
> > allow rhnsd_t rpm_var_cache_t:dir { getattr search write };
> > allow rhnsd_t rpm_var_cache_t:file { open read write };
> > allow rhnsd_t rpm_var_lib_t:dir { getattr search };
> > allow rhnsd_t rpm_var_lib_t:file { getattr lock open read write };
> > allow rhnsd_t rpm_var_run_t:file { lock open read write };
> > allow rhnsd_t self:udp_socket create;
> > allow rhnsd_t self:tcp_socket { connect create read write };
> > allow rhnsd_t http_port_t:tcp_socket name_connect;
> > 
> > # checkmodule -M -m -o rhn_check.mod rhn_check.te
> > # semodule_package --module rhn_check.mod --outfile rhn_check.pp
> > # semodule --verbose --install=rhn_check.pp
> > 
> > 
> > some 'denied' still present (working on it) but at least GUI says that
> > 'Server Status: System Checked In ..$RECENTDATE'
> 
> thank you this seems to work for me as well!

Actually, today all of our clients are back in the 'inactive' list... :(

Comment 11 vinzenz.meier 2018-06-26 13:55:06 UTC

I am no expert in selinux, but:
when rhn_check is spawned from rhnsd, should it be run in rhnsd_t context?

to access all the config files (with any possible context) for rhncfg, and to execute remote scripts, rhn_check needs to have full permissions. 

I suspect that there was a change in how rhnsd is run, rather than a required policy change

Comment 12 vinzenz.meier 2018-06-26 14:28:10 UTC

this fixed the issue for me (note: not reboot persistent!):

# chcon system_u:object_r:rpm_exec_t:s0 /sbin/rhn_check-2.7



The root cause seems to be there is no context for the "-2.7" binary:
# rpm -qf /sbin/rhn_check-2.7
python2-rhn-check-2.8.26-1.el7.centos.noarch


# semanage fcontext -l|grep /sbin/rhn_check
/usr/sbin/rhn_check                                regular file       system_u:object_r:rpm_exec_t:s0

Comment 13 Matthew 2018-06-26 14:34:34 UTC

(In reply to vinzenz.meier from comment #12)
> this fixed the issue for me (note: not reboot persistent!):
> 
> # chcon system_u:object_r:rpm_exec_t:s0 /sbin/rhn_check-2.7
> 
> 
> 
> The root cause seems to be there is no context for the "-2.7" binary:
> # rpm -qf /sbin/rhn_check-2.7
> python2-rhn-check-2.8.26-1.el7.centos.noarch
> 
> 
> # semanage fcontext -l|grep /sbin/rhn_check
> /usr/sbin/rhn_check                                regular file      
> system_u:object_r:rpm_exec_t:s0

that is strange. why are there even rhn*2.7 commands? Is rhn_check using /sbin/rhn_check-2.7 instead of /sbin/rhn_check??

Comment 14 vinzenz.meier 2018-06-26 14:47:30 UTC

rhn_check is still the one spawned by rhnsd, but it is just a symlink now:
# ls -l /sbin/rhn_check
lrwxrwxrwx. 1 root root 13 Jun 26 14:46 /sbin/rhn_check -> rhn_check-2.7



# ls -l /{,s}bin/*-2.7
lrwxrwxrwx. 1 root root    72 Jun 22 14:25 /bin/rhn-actions-control-2.7 -> ../../usr/lib/python2.7/site-packages/rhn/actions/rhn-actions-control.py
lrwxrwxrwx. 1 root root    68 Jun 22 14:25 /bin/rhncfg-client-2.7 -> ../../usr/lib/python2.7/site-packages/config_client/rhncfg-client.py
lrwxrwxrwx. 1 root root    73 Jun 22 14:25 /bin/rhncfg-manager-2.7 -> ../../usr/lib/python2.7/site-packages/config_management/rhncfg-manager.py
-rwxr-xr-x. 1 root root 15754 May  4 09:49 /sbin/rhn_check-2.7
-rwxr-xr-x. 1 root root  1482 May  4 09:49 /sbin/rhn-profile-sync-2.7
-rwxr-xr-x. 1 root root  2173 May  4 09:49 /sbin/rhn_register-2.7
-rwxr-xr-x. 1 root root  8442 May  4 09:49 /sbin/rhnreg_ks-2.7
-rwxr-xr-x. 1 root root  8427 May  4 09:49 /sbin/spacewalk-channel-2.7


# rpm -qf /{,s}bin/*-2.7
python2-rhncfg-actions-5.10.122-1.el7.centos.noarch
python2-rhncfg-client-5.10.122-1.el7.centos.noarch
python2-rhncfg-management-5.10.122-1.el7.centos.noarch
python2-rhn-check-2.8.26-1.el7.centos.noarch
python2-rhn-client-tools-2.8.26-1.el7.centos.noarch
python2-rhn-setup-2.8.26-1.el7.centos.noarch
python2-rhn-setup-2.8.26-1.el7.centos.noarch
python2-rhn-setup-2.8.26-1.el7.centos.noarch

Comment 15 vinzenz.meier 2018-06-26 14:56:38 UTC

I guess that is because the legacy packages are now called 'python2-'. 
and the context is set by the base OS:
# grep -r bin/rhn_check /etc/selinux/
/etc/selinux/targeted/contexts/files/file_contexts:/usr/sbin/rhn_check  --      system_u:object_r:rpm_exec_t:s0

# rpm -qf /etc/selinux/targeted/contexts/files/file_contexts
selinux-policy-targeted-3.13.1-192.el7_5.3.noarch


so I don't expect a fast "packaged" solution for this :/

Comment 16 Matthew 2018-06-26 15:03:18 UTC

Well, regardless they should still push some fixes for this somehow b/c it's causing major disruption in SW clients.

Comment 17 vinzenz.meier 2018-06-27 11:46:00 UTC

to generate an RPM for the context, to workaround for the time being, which should be fully revertible:

# yum -y install selinux-policy-devel rpm-build
# mkdir /dev/shm/spacewalk_python27_hotfix/
# cd /dev/shm/spacewalk_python27_hotfix/
# sepolicy generate -d rhnsd_t --customize -n spacewalk_python27_hotfix

# cat > spacewalk_python27_hotfix.fc <<_EOF_
/usr/sbin/rhn_check     -l gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check-2.7 -- gen_context(system_u:object_r:rpm_exec_t,s0)
_EOF_

# sed -i 's|semodule -n -i.*|semodule -X 400 -i %{_datadir}/selinux/packages/spacewalk_python27_hotfix.pp|' spacewalk_python27_hotfix_selinux.spec
# sed -i '/load_policy/irestorecon -Rv /usr/sbin/rhn_check*' ./spacewalk_python27_hotfix_selinux.spec 


# ./spacewalk_python27_hotfix.sh

# ls -l noarch/spacewalk_python27_hotfix_selinux-1.0-1.el7.noarch.rpm 
-rw-r--r--. 1 root root 11548 Jun 27 11:21 noarch/spacewalk_python27_hotfix_selinux-1.0-1.el7.noarch.rpm


# ls -lZ /usr/sbin/rhn_check*
lrwxrwxrwx. root root system_u:object_r:bin_t:s0       /usr/sbin/rhn_check -> rhn_check-2.7
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/rhn_check-2.7


# yum -y install noarch/spacewalk_python27_hotfix_selinux-1.0-1.el7.noarch.rpm 

# ls -lZ /usr/sbin/rhn_check*
lrwxrwxrwx. root root system_u:object_r:rpm_exec_t:s0  /usr/sbin/rhn_check -> rhn_check-2.7
-rwxr-xr-x. root root system_u:object_r:rpm_exec_t:s0  /usr/sbin/rhn_check-2.7

Comment 18 vinzenz.meier 2018-06-27 13:17:30 UTC

P.S.
same goes for rhel/centos-6

/usr/sbin/rhn_check-2.6 -- gen_context(system_u:object_r:rpm_exec_t,s0)

Comment 19 Ilja Maslov 2018-06-28 19:15:26 UTC

(In reply to vinzenz.meier from comment #12)
> this fixed the issue for me (note: not reboot persistent!):
> 
> # chcon system_u:object_r:rpm_exec_t:s0 /sbin/rhn_check-2.7
> 

This persisted for me upon reboot!  Until the next relabling event, I guess :)
Ilja

Comment 20 vinzenz.meier 2018-06-29 07:11:57 UTC

(In reply to Ilja Maslov from comment #19)
> (In reply to vinzenz.meier from comment #12)
> > this fixed the issue for me (note: not reboot persistent!):
> > 
> > # chcon system_u:object_r:rpm_exec_t:s0 /sbin/rhn_check-2.7
> > 
> 
> This persisted for me upon reboot!  Until the next relabling event, I guess
> :)
> Ilja

yes, that is what I meant ;-)

Comment 21 Tomáš Kašpárek 2018-06-29 07:17:17 UTC

Hello,

the selinux policy for /usr/sbin/rhn_check is not owned by Spacewalk team, so I've created multiple bugs for selinux-policy-targeted to reflect these changes, see e.g. BZ#1596499

Tomas

Comment 22 Matthew 2018-06-29 14:01:04 UTC

Gah. Ok thanks Tomas. So the patch will come in the form of an updated selinux-policy-targeted package from RHEL.

Comment 23 Ilja Maslov 2018-07-09 18:25:37 UTC

Shouldn't the context be specified in the RPM for /sbin/rhn_check-2.7?

Currently: python2-rhn-check-2.8.26-1.el7.centos.noarch

Comment 24 Tomáš Kašpárek 2018-07-10 05:53:54 UTC

(In reply to Ilja Maslov from comment #23)
> Shouldn't the context be specified in the RPM for /sbin/rhn_check-2.7?
> 
> Currently: python2-rhn-check-2.8.26-1.el7.centos.noarch

rhn-check RPM and all python-{2,3}-rhn-check RPMs do not ship their own SELinux policy and rely on default system policy provided by selinux-policy-targeted package.

Comment 25 Matthew 2018-09-13 13:23:14 UTC

So this bug got kicked over to https://bugzilla.redhat.com/show_bug.cgi?id=1596499 but they closed that and it looks like it was only fixed for Fedora 29...

Will there be a fix for RHEL?

Comment 26 Tomáš Kašpárek 2018-09-13 13:32:32 UTC

(In reply to Matthew from comment #25)
> So this bug got kicked over to
> https://bugzilla.redhat.com/show_bug.cgi?id=1596499 but they closed that and
> it looks like it was only fixed for Fedora 29...
> 
> Will there be a fix for RHEL?

For RHEL 7 the fix will be available in RHEL 7.6, for RHEL 6 the request has been declined as it's in EOL phase 1.

Comment 27 Matthew 2018-09-13 13:35:44 UTC

(In reply to Tomáš Kašpárek from comment #26)
> (In reply to Matthew from comment #25)
> > So this bug got kicked over to
> > https://bugzilla.redhat.com/show_bug.cgi?id=1596499 but they closed that and
> > it looks like it was only fixed for Fedora 29...
> > 
> > Will there be a fix for RHEL?
> 
> For RHEL 7 the fix will be available in RHEL 7.6, for RHEL 6 the request has
> been declined as it's in EOL phase 1.

Thanks very much for the info. I'll look forward to RHEL 7.6 then for the fix.

Comment 28 BugMasta 2018-11-22 23:39:46 UTC

Incredible.

Comment 29 BugMasta 2018-11-22 23:46:07 UTC

RHEL 7.6 is out.

Where is the fix for this.

Comment 30 Ilja Maslov 2018-12-04 21:44:22 UTC

Fixed in https://bugzilla.redhat.com/show_bug.cgi?id=1596509
which is included with RHEL 7.6

Listed in https://access.redhat.com/errata/RHBA-2018:3111

Note You need to log in before you can comment on or make changes to this bug.