Bug 1030560

Summary: rhsmcertd fails to update when rhsm.consumerCertDir configuration is changed
Product: Red Hat Enterprise Linux 7 Reporter: John Sefler <jsefler>
Component: subscription-managerAssignee: candlepin-bugs
Status: CLOSED NOTABUG QA Contact: John Sefler <jsefler>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: alikins, ckozak, jsefler, mgrepl
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-31 11:22:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 863175    

Description John Sefler 2013-11-14 17:03:57 UTC 
Description of problem:
rhsmcertd fails to update on its scheduled rhsmcertd.certCheckInterval when rhsm.consumerCertDir configuration is changed.  I suspected an selinux policy is blocking this, but I do not see any denials in /var/log/audit/auto.log

Version-Release number of selected component (if applicable):
[root@jsefler-7server ~]# rpm -q subscription-manager python-rhsm selinux-policy
subscription-manager-1.10.6-1.git.36.3351fd6.el7.x86_64
python-rhsm-1.10.6-1.git.3.49e9f2d.el7.x86_64
selinux-policy-3.12.1-99.el7.noarch


How reproducible:


Steps to Reproduce:
First, I'll demonstrate this working and then demonstrate the failure...

[root@jsefler-7server ~]# subscription-manager clean
All local data removed
[root@jsefler-7server ~]# subscription-manager config --rhsm.consumercertdir=/etc/pki/consumer --rhsmcertd.certcheckinterval=1 
[root@jsefler-7server ~]# subscription-manager register --username=testuser1 --password=password --org=admin --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin --insecure
The system has been registered with ID: eeb66b27-b810-4f3e-ac54-257df3377182 
[root@jsefler-7server ~]# systemctl restart  rhsmcertd.service
[root@jsefler-7server ~]# tail -f /var/log/rhsm/rhsmcertd.log
Thu Nov 14 11:50:06 2013 [INFO] rhsmcertd is shutting down...
Thu Nov 14 11:50:06 2013 [INFO] Starting rhsmcertd...
Thu Nov 14 11:50:06 2013 [INFO] Auto-attach interval: 1440.0 minute(s) [86400 second(s)]
Thu Nov 14 11:50:06 2013 [INFO] Cert check interval: 1.0 minute(s) [60 second(s)]
Thu Nov 14 11:50:06 2013 [INFO] Waiting 120 second(s) [2.0 minute(s)] before running updates.
Thu Nov 14 11:51:07 2013 [INFO] (Cert Check) Certificates updated.
^C
[root@jsefler-7server ~]# 

NOTICE "(Cert Check) Certificates updated." INDICATING A SUCCESS.
Now let's test with a non-default consumerCertDir set to the /tmp directory

[root@jsefler-7server ~]# subscription-manager clean
All local data removed
[root@jsefler-7server ~]# subscription-manager config --rhsm.consumercertdir=/tmp/consumer --rhsmcertd.certcheckinterval=1
[root@jsefler-7server ~]# subscription-manager register --username=testuser1 --password=password --org=admin --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin --insecure
The system has been registered with ID: 0e4f7e08-2b1e-4fa2-a87a-7da5f83d5fb8 
[root@jsefler-7server ~]# systemctl restart  rhsmcertd.service
[root@jsefler-7server ~]# tail -f /var/log/rhsm/rhsmcertd.log
Thu Nov 14 11:55:19 2013 [INFO] rhsmcertd is shutting down...
Thu Nov 14 11:55:19 2013 [INFO] Starting rhsmcertd...
Thu Nov 14 11:55:19 2013 [INFO] Auto-attach interval: 1440.0 minute(s) [86400 second(s)]
Thu Nov 14 11:55:19 2013 [INFO] Cert check interval: 1.0 minute(s) [60 second(s)]
Thu Nov 14 11:55:19 2013 [INFO] Waiting 120 second(s) [2.0 minute(s)] before running updates.
Thu Nov 14 11:56:19 2013 [WARN] (Cert Check) Update failed (255), retry will occur on next run.
^C
[root@jsefler-7server ~]# 

BANG! "(Cert Check) Update failed (255), retry will occur on next run."
I expected that to succeed with "(Cert Check) Certificates updated."

[root@jsefler-7server ~]# tail -f /var/log/rhsm/rhsm.log
2013-11-14 11:56:19,685 [ERROR] rhsmcertd-worker @rhsmcertd-worker:43 - Either the consumer is not registered or the certificates are corrupted. Certificate update using daemon failed.



Additional info:
[root@jsefler-7server ~]# grep -i denied /var/log/audit/audit.log
[root@jsefler-7server ~]# 
I see no denials ^
Comment 2 Carter Kozak 2014-01-22 15:44:56 UTC 
Could you retest with selinux disabled?
Comment 3 John Sefler 2014-01-29 20:29:27 UTC 
Testing with...
[root@jsefler-7 ~]# rpm -q subscription-manager selinux-policy
subscription-manager-1.10.11-1.el7.x86_64
selinux-policy-3.12.1-121.el7.noarch

[root@jsefler-7 ~]# setenforce 1
[root@jsefler-7 ~]# getenforce 
Enforcing

When Enforcing selinux, rhsmcertd fails as demonstrated in comment 0

[root@jsefler-7 ~]# tail -f /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1391027244.605:118819): avc:  denied  { open } for  pid=20875 comm="rhsmcertd-worke" path="/tmp/consumer/key.pem" dev="dm-1" ino=9126242 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file




[root@jsefler-7 ~]# setenforce 0
[root@jsefler-7 ~]# getenforce 
Permissive

When turning off selinux, rhsmcertd succeeds with a non-default rhsm.consumercertdir=/tmp/consumer
Comment 4 John Sefler 2014-01-29 20:36:28 UTC 
I don't know enough about configuring an selinux policy to allow subscription-manager's rhsm.conf to be configured with non-default values and still enforce selinux.  This was not a problem on rhel5 and rhel6.

Maybe mgrepl has a suggestion on rhel7.

Or maybe this is exactly what we expect of selinux and rhel5 and rhel6 were too permissive.

NEEDINFO
Comment 5 Adrian Likins 2014-01-30 20:00:42 UTC 
I'd lean towards this being "working as designed". 

The in between step would be to point consumerCertDir to another directory with the same selinux labeling and checking if that works. (Say, move it from /etc/pki/consumer to /etc/pki/consumer2 should preserve the labels)
Comment 6 John Sefler 2014-01-30 21:17:45 UTC 
Configuring /etc/pki/consumer2 works fine; this is not blocked by selinux on rhel70.

I'd also lean toward this being "working as designed".

Closing as NOTABUG is acceptable with me.
Comment 7 Miroslav Grepl 2014-01-31 11:22:31 UTC 
Yes, this is OK that SELinux complains about that. We dont' want to allow to read random user temp content.