Bug 1337319

Summary: rhsmcertd problem connecting to port 9090 due to selinux
Product: Red Hat Enterprise Linux 7 Reporter: Johan Bergström <johan.bergstrom>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: medium    
Version: 7.2CC: dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: beta   
Target Release: 7.3   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-81.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 02:29:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Johan Bergström 2016-05-18 19:46:40 UTC 
Description of problem:
missing rhsmcertd_t attribute (from subscription-manager)

Noticed this while running satellite 6.1.9 server, freshly installed.

From /var/log/messages;

May 18 21:55:07 hostname setroubleshoot: SELinux is preventing /usr/bin/python2.7 from name_connect access on the tcp_socket port 9090. For complete SELinux messages. run sealert -l c1238a23-821d-43d7-94fe-e4838529ee3d
May 18 21:55:07 hostname python: SELinux is preventing /usr/bin/python2.7 from name_connect access on the tcp_socket port 9090.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that python2.7 should be allowed name_connect access on the port 9090 tcp_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep rhsmcertd-worke /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012

Checking and creating module:

# grep rhsmcertd-worke /var/log/audit/audit.log | audit2allow
#============= rhsmcertd_t ==============
allow rhsmcertd_t websm_port_t:tcp_socket name_connect;

Inserting module gives;

# semodule -i rhsmcertd.pp
libsepol.print_missing_requirements: rhsmcertd's global requirements were not met: type/attribute rhsmcertd_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!


Version-Release number of selected component (if applicable):

# rpm -qa | grep -E 'redhat-release|subscription-manager|selinux-policy'
redhat-release-server-7.2-9.el7.x86_64
subscription-manager-1.15.9-15.el7.x86_64
selinux-policy-targeted-3.13.1-60.el7_2.3.noarch
selinux-policy-3.13.1-60.el7_2.3.noarch


How reproducible:

100% spamming /var/log/messages in a timely manner, every 4 hours.

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Lukas Zapletal 2016-05-24 09:05:19 UTC 
We don't maintain SELinux for subscription-manager component ourselves. This is on our SELinux team.

Triage notes: When RHEL subscribe to Satellite 6, rhsmcertd component starts communication over HTTPS on port 9090 with Satellite. Please introduce a boolean and if possible, enable it by default so Satellite 6 users don't need to turn it on for each individual system. Applies for all supported RHELs: 5, 6, 7 (where rhsmcertd is available).

Thanks.
Comment 2 Johan Bergström 2016-05-24 09:16:00 UTC 
I realized that I was missing the selinux-policy-devel rpm & there is already a module named rhsmcertd, that probably caused the problem with loading the custom module.

# semodule -l | grep rhsm
rhsmcertd-jb    1.0
rhsmcertd       1.1.1

Re-created it with the name rhsmcertd-jb and it now works fine to load, so workaround is implemented. Lowering prio.
Comment 3 Johan Bergström 2016-05-24 09:36:52 UTC 
And, the product is RHEL7.2, not 6.9. I don't have permission to change it.
Comment 9 errata-xmlrpc 2016-11-04 02:29:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html