Bug 1623376

Summary: selinux denials for rhsmcertd process when the system is configured with a proxy port (other than default 3128)
Product: Red Hat Enterprise Linux 7 Reporter: Rehana <redakkan>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED NOTABUG QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.6CC: jsefler, khowell, lvrabec, mgrepl, mmalik, plautrba, redakkan, skallesh, ssekidde, vmojzis
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-05 09:13:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rehana 2018-08-29 08:43:51 UTC 
Description of problem:
With the fix for the Bug 1576423, subscription manager now respects the proxy server running on port other than 3128

Version-Release number of selected component (if applicable):
# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.3.9-1
subscription management rules: 5.26
subscription-manager: 1.21.7-1.el7

# rpm -qa selinux*
selinux-policy-3.13.1-219.el7.noarch
selinux-policy-targeted-3.13.1-219.el7.noarch

How reproducible:
Always

Steps to Reproduce:
1.Configure proxy on the system ,Note : Configure proxy port on any port other than 3128.
In this test , below is the configurataion used
  proxy_hostname = auto-services.usersys.redhat.com
   proxy_password = redhat
   proxy_port = 3127
   proxy_user = redhat

2.Now register the system --> Observed that system is registered successfully
3.Wait for rhsmcertd to run ( make sure to set splay=0 and certcheck interval to a shorter duration to reproduce the error quickly) 

Actual results:
rhsmcertd failed to run 

Expected results:
rhsmcertd Should run successfully, and now that subscription manager respects any proxy port with the implementaion of  bug 1576423 the fix for this  bug  should be considering the possibility of that ,as the proxy port is configurable now.


Additional info:

rhsmcertd.log 
============

Tue Aug 28 20:08:22 2018 [INFO] Waiting 2.0 minutes plus 0 splay seconds [120 seconds total] before performing first auto-attach.
Tue Aug 28 20:08:22 2018 [INFO] Waiting 2.0 minutes plus 0 splay seconds [120 seconds total] before performing first cert check.
Tue Aug 28 20:10:22 2018 [WARN] (Cert Check) Update failed (255), retry will occur on next run.
Tue Aug 28 20:10:22 2018 [WARN] (Auto-attach) Update failed (255), retry will occur on next run.


rhsm.log
----------

error: [Errno 13] Permission denied
2018-08-28 20:10:22,922 [INFO] rhsmcertd-worker:4923:MainThread @rhsmcertd_worker.py:70 - X-Correlation-ID: 86ef4d014d604ae7aecf680d73cdf0c4
2018-08-28 20:10:22,925 [INFO] rhsmcertd-worker:4923:MainThread @connection.py:871 - Connection built: http_proxy=auto-services.usersys.redhat.com:3127 host=subscription.rhsm.stage.redhat.com port=443 handler=/subscription auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2018-08-28 20:10:22,927 [ERROR] rhsmcertd-worker:4923:MainThread @rhsmcertd_worker.py:148 - Error while updating certificates using daemon
2018-08-28 20:10:22,928 [ERROR] rhsmcertd-worker:4923:MainThread @rhsmcertd_worker.py:150 - [Errno 13] Permission denied
Traceback (most recent call last):
  File "/usr/lib64/python2.7/site-packages/subscription_manager/scripts/rhsmcertd_worker.py", line 139, in main
    _main(options, log)
  File "/usr/lib64/python2.7/site-packages/subscription_manager/scripts/rhsmcertd_worker.py", line 80, in _main
    cp.supports_resource(None)  # pre-load supported resources; serves as a way of failing before locking the repos
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 897, in supports_resource
    self._load_supported_resources()
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 884, in _load_supported_resources
    resources_list = self.conn.request_get("/")
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 693, in request_get
    return self._request("GET", method, headers=headers)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 719, in _request
    info=info, headers=headers)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 557, in _request
    conn.request(request_type, handler, body=body, headers=final_headers)
  File "/usr/lib64/python2.7/httplib.py", line 1041, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1075, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/httplib.py", line 1037, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 881, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 843, in send
    self.connect()
  File "/usr/lib64/python2.7/httplib.py", line 1251, in connect
    HTTPConnection.connect(self)
  File "/usr/lib64/python2.7/httplib.py", line 824, in connect
    self.timeout, self.source_address)
  File "/usr/lib64/python2.7/socket.py", line 571, in create_connection
    raise err
error: [Errno 13] Permission denied

ausearch -m AVC -m USER_AVC -m SELINUX_ERR


time->Tue Aug 28 20:10:22 2018
type=PROCTITLE msg=audit(1535467222.722:246): proctitle=2F7573722F62696E2F707974686F6E002F7573722F6C6962657865632F7268736D63657274642D776F726B6572
type=SYSCALL msg=audit(1535467222.722:246): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffe602c8c00 a2=10 a3=79 items=0 ppid=4821 pid=4918 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/bin/python2.7" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(1535467222.722:246): avc:  denied  { name_connect } for  pid=4918 comm="rhsmcertd-worke" dest=3127 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
----
time->Tue Aug 28 20:10:22 2018
type=PROCTITLE msg=audit(1535467222.926:247): proctitle=2F7573722F62696E2F707974686F6E002F7573722F6C6962657865632F7268736D63657274642D776F726B6572002D2D6175746F6865616C
type=SYSCALL msg=audit(1535467222.926:247): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7fffc304fdc0 a2=10 a3=79 items=0 ppid=4821 pid=4923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/bin/python2.7" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(1535467222.926:247): avc:  denied  { name_connect } for  pid=4923 comm="rhsmcertd-worke" dest=3127 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
Comment 3 Milos Malik 2018-09-04 14:04:54 UTC 
Because you use a different port than the usual one, a local customization of SELinux policy is needed: Please run following command:

# semanage port -a -t squid_port_t -p tcp 3127

As a result, rhsmcertd process will be able to connect to TCP port 3217.

If you want to remove this local customization, please run following command:

# semanage port -d -t squid_port_t -p tcp 3127

Usually, rhsmcert process is able to connect to TCP port 3128 because:

# seinfo --protocol tcp --portcon=3128
	portcon tcp 3128 system_u:object_r:squid_port_t:s0
	portcon tcp 1024-32767 system_u:object_r:unreserved_port_t:s0
#

and

# sesearch -s rhsmcertd_t -t squid_port_t -c tcp_socket -p name_connect -A -C
Found 1 semantic av rules:
   allow rhsmcertd_t squid_port_t : tcp_socket name_connect ; 
#