Bug 1026435

Summary: rhsmcertd-worker @rhsmcertd-worker:90 - [Errno 13] Permission denied
Product: Red Hat Enterprise Linux 7 Reporter: John Sefler <jsefler>
Component: subscription-managerAssignee: candlepin-bugs
Status: CLOSED DUPLICATE QA Contact: John Sefler <jsefler>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: bkearney, mgrepl, mmalik
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-05 20:44:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 863175    

Description John Sefler 2013-11-04 16:06:42 UTC 
Description of problem:
When a consumer has been deleted at the server, the next run of the rhsmcertd should create a backup of the consumer cert in directory /etc/pki/consumer.old but this appears to be blocked by [Errno 13] Permission denied on rhel7.



Version-Release number of selected component (if applicable):
[root@jsefler-7 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 0.8.31-1
subscription-manager: 1.10.5-1.git.14.2e4687f.el7
python-rhsm: 1.10.5-1.git.2.16e72c2.el7
[root@jsefler-7 ~]# rpm -qa | grep selinux
libselinux-python-2.1.13-21.el7.x86_64
libselinux-utils-2.1.13-21.el7.x86_64
libselinux-2.1.13-21.el7.x86_64
selinux-policy-3.12.1-95.el7.noarch
selinux-policy-targeted-3.12.1-95.el7.noarch


How reproducible:


Steps to Reproduce:
[root@jsefler-7 ~]# subscription-manager register --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin
Username: testuser1
Password: 
Organization: admin
The system has been registered with ID: d615d82b-fed4-4764-8369-64c6a7bee2cd 

[root@jsefler-7 ~]# curl --stderr /dev/null -k -u testuser1:password --request DELETE https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/consumers/d615d82b-fed4-4764-8369-64c6a7bee2cd

[root@jsefler-7 ~]# subscription-manager identity
Unit d615d82b-fed4-4764-8369-64c6a7bee2cd has been deleted


NOW restart rhsmcertd and tail /var/log/rhsm/rhsmcertd.log /var/log/audit/audit.log /var/log/rhsm/rhsm.log as shown below in Additional info.

[root@jsefler-7 ~]# systemctl restart rhsmcertd.service
[root@jsefler-7 ~]# 


[root@jsefler-7 ~]# ls -l /etc/pki/consumer/
total 8
-rw-r-----. 1 root root 1306 Nov  4 10:51 cert.pem
-rw-r-----. 1 root root 1679 Nov  4 10:51 key.pem
[root@jsefler-7 ~]# ls -l /etc/pki/consumer.old
ls: cannot access /etc/pki/consumer.old: No such file or directory
[root@jsefler-7 ~]# 


Actual results:
above

Expected results:
The /etc/pki/consumer directory should have been backed up to /etc/pki/consumer.old



Additional info:

[root@jsefler-7 ~]# tail -f /var/log/rhsm/rhsmcertd.log
Mon Nov  4 10:57:26 2013 [INFO] rhsmcertd is shutting down...
Mon Nov  4 10:57:26 2013 [INFO] Starting rhsmcertd...
Mon Nov  4 10:57:26 2013 [INFO] Auto-attach interval: 1440.0 minute(s) [86400 second(s)]
Mon Nov  4 10:57:26 2013 [INFO] Cert check interval: 240.0 minute(s) [14400 second(s)]
Mon Nov  4 10:57:26 2013 [INFO] Waiting 120 second(s) [2.0 minute(s)] before running updates.
Mon Nov  4 10:59:27 2013 [WARN] (Auto-attach) Update failed (255), retry will occur on next run.
Mon Nov  4 10:59:28 2013 [WARN] (Cert Check) Update failed (255), retry will occur on next run.



[root@jsefler-7 ~]# tail -f /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1383580767.463:37844): avc:  denied  { write } for  pid=14738 comm="rhsmcertd-worke" name="pki" dev="dm-1" ino=16818316 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=AVC msg=audit(1383580768.184:37845): avc:  denied  { write } for  pid=14741 comm="rhsmcertd-worke" name="pki" dev="dm-1" ino=16818316 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir



[root@jsefler-7 ~]# tail -f /var/log/rhsm/rhsm.log
2013-11-04 10:59:28,183 [CRITICAL] rhsmcertd-worker @rhsmcertd-worker:61 - This consumer's profile has been deleted from the server. Its local certificates will now be archived
2013-11-04 10:59:28,187 [ERROR] rhsmcertd-worker @rhsmcertd-worker:88 - Error while updating certificates using daemon
2013-11-04 10:59:28,188 [ERROR] rhsmcertd-worker @rhsmcertd-worker:90 - [Errno 13] Permission denied
Traceback (most recent call last):
  File "/usr/libexec/rhsmcertd-worker", line 79, in <module>
    main(options, log)
  File "/usr/libexec/rhsmcertd-worker", line 62, in main
    managerlib.clean_all_data()
  File "/usr/share/rhsm/subscription_manager/managerlib.py", line 862, in clean_all_data
    os.rename(consumer_dir, consumer_dir_backup)
OSError: [Errno 13] Permission denied
Comment 1 John Sefler 2013-11-04 16:12:29 UTC 
[root@jsefler-7 ~]# ausearch -m avc -c rhsmcertd-worke


time->Mon Nov  4 10:59:27 2013
type=SYSCALL msg=audit(1383580767.463:37844): arch=c000003e syscall=82 success=no exit=-13 a0=1b4e830 a1=1b4f2b0 a2=32a31bbf88 a3=0 items=0 ppid=14711 pid=14738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/bin/python2.7" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(1383580767.463:37844): avc:  denied  { write } for  pid=14738 comm="rhsmcertd-worke" name="pki" dev="dm-1" ino=16818316 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
----
time->Mon Nov  4 10:59:28 2013
type=SYSCALL msg=audit(1383580768.184:37845): arch=c000003e syscall=82 success=no exit=-13 a0=27588b0 a1=2759330 a2=32a31bbf88 a3=0 items=0 ppid=14711 pid=14741 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/bin/python2.7" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(1383580768.184:37845): avc:  denied  { write } for  pid=14741 comm="rhsmcertd-worke" name="pki" dev="dm-1" ino=16818316 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
Comment 4 Miroslav Grepl 2013-11-05 20:44:29 UTC 

*** This bug has been marked as a duplicate of bug 822402 ***