| Summary: | rhsmcertd fails to update when rhsm.consumerCertDir configuration is changed | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | John Sefler <jsefler> |
| Component: | subscription-manager | Assignee: | candlepin-bugs |
| Status: | CLOSED NOTABUG | QA Contact: | John Sefler <jsefler> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.0 | CC: | alikins, ckozak, jsefler, mgrepl |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-01-31 11:22:31 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 863175 | ||
|
Description
John Sefler
2013-11-14 17:03:57 UTC
Could you retest with selinux disabled? Testing with... [root@jsefler-7 ~]# rpm -q subscription-manager selinux-policy subscription-manager-1.10.11-1.el7.x86_64 selinux-policy-3.12.1-121.el7.noarch [root@jsefler-7 ~]# setenforce 1 [root@jsefler-7 ~]# getenforce Enforcing When Enforcing selinux, rhsmcertd fails as demonstrated in comment 0 [root@jsefler-7 ~]# tail -f /var/log/audit/audit.log | grep denied type=AVC msg=audit(1391027244.605:118819): avc: denied { open } for pid=20875 comm="rhsmcertd-worke" path="/tmp/consumer/key.pem" dev="dm-1" ino=9126242 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file [root@jsefler-7 ~]# setenforce 0 [root@jsefler-7 ~]# getenforce Permissive When turning off selinux, rhsmcertd succeeds with a non-default rhsm.consumercertdir=/tmp/consumer I don't know enough about configuring an selinux policy to allow subscription-manager's rhsm.conf to be configured with non-default values and still enforce selinux. This was not a problem on rhel5 and rhel6. Maybe mgrepl has a suggestion on rhel7. Or maybe this is exactly what we expect of selinux and rhel5 and rhel6 were too permissive. NEEDINFO I'd lean towards this being "working as designed". The in between step would be to point consumerCertDir to another directory with the same selinux labeling and checking if that works. (Say, move it from /etc/pki/consumer to /etc/pki/consumer2 should preserve the labels) Configuring /etc/pki/consumer2 works fine; this is not blocked by selinux on rhel70. I'd also lean toward this being "working as designed". Closing as NOTABUG is acceptable with me. Yes, this is OK that SELinux complains about that. We dont' want to allow to read random user temp content. |