Bug 1443215
Summary: | unable to open ATI��US��1�H��` to write timestamp: Permission denied | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | John Sefler <jsefler> |
Component: | subscription-manager | Assignee: | Jiri Hnidek <jhnidek> |
Status: | CLOSED ERRATA | QA Contact: | John Sefler <jsefler> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.4 | CC: | jhnidek, jstavel, khowell, redakkan, skallesh, weiliu |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | subscription-manager-1.19.10-1 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 19:22:43 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
John Sefler
2017-04-18 19:03:03 UTC
Additional Info: The failure goes away when selinux is disabled (setenforce 0). Here's a trace from the audit.log... ---- type=SYSCALL msg=audit(04/20/2017 14:03:08.981:661364) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x15ce770 a1=0x15c6ad0 a2=0x7ffdd5588b88 a3=0x7ffdd5585fa0 items=0 ppid=26616 pid=26628 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) type=AVC msg=audit(04/20/2017 14:03:08.981:661364) : avc: denied { execute } for pid=26628 comm=rhsmcertd-worke name=hostname dev="dm-0" ino=8973142 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file ---- type=SYSCALL msg=audit(04/20/2017 14:03:09.045:661365) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x15c6ad0 a1=0x1687ff0 a2=0x7ffdd5588b88 a3=0x7ffdd5586110 items=0 ppid=26616 pid=26663 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) type=AVC msg=audit(04/20/2017 14:03:09.045:661365) : avc: denied { execute } for pid=26663 comm=rhsmcertd-worke name=hostname dev="dm-0" ino=8973142 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file ---- I can't reproduce this bug in master. I'm trying version subscription-manager-1.19.8-1. It is strange, it prints following error: unable to open ATI��US��1�H��` to write timestamp: Permission denied I can confirm that I able to reproduce it at 1.19.8-1. This happens during second and next cert check / auto-attach. I will test in master too. *** Bug 1444711 has been marked as a duplicate of this bug. *** *** Bug 1445059 has been marked as a duplicate of this bug. *** Reproducing the failure on : ============================ # subscription-manager version server type: This system is currently not registered. subscription management server: 0.9.51.21-1 subscription management rules: 5.15.1 subscription-manager: 1.19.8-1.el7 python-rhsm: 1.19.5-1.el7 Selinux in enforcing mode [root@bkr-hv01-guest24 ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 [root@bkr-hv01-guest24 ~]# subscription-manager register Registering to: subscription.rhsm.stage.redhat.com:443/subscription Username: stage_test_rhel74 Password: The system has been registered with ID: 6c392c89-f0dc-485d-87c4-43b0776a7801 [root@bkr-hv01-guest24 ~]# subscription-manager config --rhsmcertd.certcheckinterval=3 --rhsmcertd.autoattachinterval=4 [root@bkr-hv01-guest24 ~]# systemctl restart rhsmcertd.service [root@bkr-hv01-guest24 ~]# tail -f /var/log/rhsm/rhsmcertd.log Wed May 3 05:44:51 2017 [INFO] Auto-attach interval: 1440.0 minute(s) [86400 second(s)] Wed May 3 05:44:51 2017 [INFO] Cert check interval: 240.0 minute(s) [14400 second(s)] Wed May 3 05:44:51 2017 [INFO] Waiting 2.0 minute(s) plus 1787 splay second(s) [1907 seconds(s) totals] before performing first auto-attach. Wed May 3 05:44:51 2017 [INFO] Waiting 2.0 minute(s) plus 9042 splay second(s) [9162 seconds(s) totals] before performing first cert check. Wed May 3 06:09:26 2017 [INFO] rhsmcertd is shutting down... Wed May 3 06:09:26 2017 [INFO] Starting rhsmcertd... Wed May 3 06:09:26 2017 [INFO] Auto-attach interval: 4.0 minute(s) [240 second(s)] Wed May 3 06:09:26 2017 [INFO] Cert check interval: 3.0 minute(s) [180 second(s)] Wed May 3 06:09:26 2017 [INFO] Waiting 2.0 minute(s) plus 164 splay second(s) [284 seconds(s) totals] before performing first auto-attach. Wed May 3 06:09:26 2017 [INFO] Waiting 2.0 minute(s) plus 2 splay second(s) [122 seconds(s) totals] before performing first cert check. Wed May 3 06:11:34 2017 [INFO] (Cert Check) Certificates updated. Wed May 3 06:12:26 2017 [WARN] unable to open ATI��US��1�H��` to write timestamp: Permission denied Wed May 3 06:14:21 2017 [INFO] (Auto-attach) Certificates updated. ^^ reproduced the WARNING and avc denial Retesting with the latest subscription-manager : ============================================= # subscription-manager version server type: This system is currently not registered. subscription management server: 0.9.51.21-1 subscription management rules: 5.15.1 subscription-manager: 1.19.12-1.el7 python-rhsm: 1.19.6-1.el7 selinux packages: selinux-policy-3.13.1-145.el7.noarch selinux-policy-targeted-3.13.1-145.el7.noarch [root@ibm-x3650m4-01-vm-10 ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 [root@ibm-x3650m4-01-vm-10 ~]# START_DATE_TIME=`date "+%m/%d/%Y %T"` [root@ibm-x3650m4-01-vm-10 ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME} <no matches> [root@ibm-x3650m4-01-vm-10 ~]# subscription-manager config --rhsmcertd.certcheckinterval=3 --rhsmcertd.autoattachinterval=4 [root@ibm-x3650m4-01-vm-10 ~]# systemctl restart rhsmcertd.service [root@ibm-x3650m4-01-vm-10 ~]# tail -f /var/log/rhsm/rhsmcertd.log Wed May 3 03:49:45 2017 [INFO] Cert check interval: 240.0 minutes [14400 seconds] Wed May 3 03:49:45 2017 [INFO] Waiting 2.0 minutes plus 70529 splay seconds [70649 seconds total] before performing first auto-attach. Wed May 3 03:49:45 2017 [INFO] Waiting 2.0 minutes plus 1115 splay seconds [1235 seconds total] before performing first cert check. Wed May 3 04:10:49 2017 [INFO] (Cert Check) Certificates updated. Wed May 3 06:20:26 2017 [INFO] rhsmcertd is shutting down... Wed May 3 06:20:26 2017 [INFO] Starting rhsmcertd... Wed May 3 06:20:26 2017 [INFO] Auto-attach interval: 4.0 minutes [240 seconds] Wed May 3 06:20:26 2017 [INFO] Cert check interval: 3.0 minutes [180 seconds] Wed May 3 06:20:26 2017 [INFO] Waiting 2.0 minutes plus 187 splay seconds [307 seconds total] before performing first auto-attach. Wed May 3 06:20:26 2017 [INFO] Waiting 2.0 minutes plus 65 splay seconds [185 seconds total] before performing first cert check. Wed May 3 06:23:47 2017 [INFO] (Cert Check) Certificates updated. Wed May 3 06:25:49 2017 [INFO] (Auto-attach) Certificates updated. No warnings have been observed in the rhsmcertd.log, but still AVC denials are reported in the log ---- #ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME} ---- type=PROCTITLE msg=audit(05/03/2017 06:23:45.570:431) : proctitle=/usr/bin/python -Es /usr/libexec/rhsmcertd-worker type=SYSCALL msg=audit(05/03/2017 06:23:45.570:431) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x2a85740 a1=0x2a89e60 a2=0x7fff7ad1a738 a3=0x7fff7ad17ae0 items=0 ppid=10134 pid=10143 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) type=AVC msg=audit(05/03/2017 06:23:45.570:431) : avc: denied { execute } for pid=10143 comm=rhsmcertd-worke name=hostname dev="dm-0" ino=100767763 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file ---- type=PROCTITLE msg=audit(05/03/2017 06:23:45.657:432) : proctitle=/usr/bin/python -Es /usr/libexec/rhsmcertd-worker type=SYSCALL msg=audit(05/03/2017 06:23:45.657:432) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x2aa7930 a1=0x2a98800 a2=0x7fff7ad1a738 a3=0x7fff7ad17c50 items=0 ppid=10134 pid=10178 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) type=AVC msg=audit(05/03/2017 06:23:45.657:432) : avc: denied { execute } for pid=10178 comm=rhsmcertd-worke name=hostname dev="dm-0" ino=100767763 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file ---- Discussed with Selinux qe (mmalik) ,he informed that with the latest selinux package from brew avc denials no longer appear. Updating selinux-policy #rpm -Uvh http://download.eng.bos.redhat.com/brewroot/packages/selinux-policy/3.13.1/147.el7/noarch/selinux-policy-3.13.1-147.el7.noarch.rpm http://download.eng.bos.redhat.com/brewroot/packages/selinux-policy/3.13.1/147.el7/noarch/selinux-policy-targeted-3.13.1-147.el7.noarch.rpm # rpm -qa selinux* selinux-policy-targeted-3.13.1-147.el7.noarch selinux-policy-3.13.1-147.el7.noarch AVC Denials no longer appear after rhsmcertd restart # systemctl restart rhsmcertd.service # tail -f /var/log/rhsm/rhsmcertd.log Wed May 3 06:53:29 2017 [INFO] Cert check interval: 3.0 minutes [180 seconds] Wed May 3 06:53:29 2017 [INFO] Waiting 2.0 minutes plus 220 splay seconds [340 seconds total] before performing first auto-attach. Wed May 3 06:53:29 2017 [INFO] Waiting 2.0 minutes plus 43 splay seconds [163 seconds total] before performing first cert check. Wed May 3 06:56:17 2017 [INFO] (Cert Check) Certificates updated. Wed May 3 06:58:49 2017 [INFO] rhsmcertd is shutting down... Wed May 3 06:58:49 2017 [INFO] Starting rhsmcertd... Wed May 3 06:58:49 2017 [INFO] Auto-attach interval: 4.0 minutes [240 seconds] Wed May 3 06:58:49 2017 [INFO] Cert check interval: 3.0 minutes [180 seconds] Wed May 3 06:58:49 2017 [INFO] Waiting 2.0 minutes plus 137 splay seconds [257 seconds total] before performing first auto-attach. Wed May 3 06:58:49 2017 [INFO] Waiting 2.0 minutes plus 92 splay seconds [212 seconds total] before performing first cert check. Wed May 3 07:02:26 2017 [INFO] (Cert Check) Certificates updated. Wed May 3 07:03:17 2017 [INFO] (Auto-attach) Certificates updated. [root@ibm-x3650m4-01-vm-10 ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME} <no matches> following subscription was attached # subscription-manager list --consumed +-------------------------------------------+ Consumed Subscriptions +-------------------------------------------+ Subscription Name: Red Hat Enterprise Linux for Virtual Datacenters, Premium (DERIVED SKU) Provides: Oracle Java (for RHEL Server) Red Hat Enterprise Linux High Performance Networking (for RHEL Server) - Extended Update Support Red Hat Enterprise Linux Server - Extended Update Support Red Hat Enterprise Linux Atomic Host Red Hat Enterprise Linux Server Oracle Java (for RHEL Workstation) Red Hat EUCJP Support (for RHEL Server) - Extended Update Support Red Hat Enterprise Linux Resilient Storage (for RHEL Server) - Extended Update Support Oracle Java (for RHEL Server) - Extended Update Support Red Hat Software Collections (for RHEL Server) Red Hat Beta dotNET on RHEL (for RHEL Server) Red Hat Enterprise Linux High Availability (for RHEL Server) - Extended Update Support Red Hat Developer Toolset (for RHEL Server) Red Hat Enterprise Linux Atomic Host Beta Red Hat Enterprise Linux Scalable File System (for RHEL Server) - Extended Update Support Red Hat Enterprise Linux Load Balancer (for RHEL Server) - Extended Update Support Red Hat Software Collections Beta (for RHEL Server) Red Hat S-JIS Support (for RHEL Server) - Extended Update Support SKU: RH00049 Contract: 11273884 Account: 5764711 Serial: 2059875420132685304 Pool ID: 8a99f9815b20573c015b3de396ce1dab Provides Management: No Active: True Quantity Used: 1 Service Level: Premium Service Type: L1-L3 Status Details: Guest has not been reported on any host and is using a temporary unmapped guest subscription. Subscription Type: Standard (Temporary) Starts: 04/04/2017 Ends: 05/04/2017 Based on the above observations, marking the bug as Verified!! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2083 |