Bug 1923985
Summary: | [RHEL-8] avc: denied { node_bind } for pid=50272 comm="rhsmcertd-worke" | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | zguo <zguo> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 8.4 | CC: | bnater, cchouhan, csnyder, ernunes, fadamo, hajek, hartsjc, jhnidek, jhsiao, jinwu, lvrabec, mcoufal, mmalik, myusuf, pbunyan, peter.vreman, plautrba, ralongi, redhat-bugzilla, rpm, shawnlunny, ssekidde, vchepkov, vkadlcik, yoyang, zfang, zpytela |
Target Milestone: | rc | Keywords: | AutoVerified, Triaged |
Target Release: | 8.4 | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause:
An update in the subscription-manager package makes rhsmcertd-worker bind to a generic node,
but this permission is missing in the selinux policy.
Consequence:
rhsmcertd-worker cannot bind to a particular ip address.
Fix:
A rule was added to the policy.
Result:
rhsmcertd-worker can bind to a particular ip address.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-05-18 14:58:20 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Comment 2
Zdenek Pytela
2021-02-04 20:40:55 UTC
*** Bug 1925472 has been marked as a duplicate of this bug. *** *** Bug 1925702 has been marked as a duplicate of this bug. *** *** Bug 1926742 has been marked as a duplicate of this bug. *** All, The Bugzilla is still in NEW state. Is this on the radar? Just checking so it does not sneak by :) --------------------------- Issue is easily reproduced: --------------------------- distro: RHEL-8.4.0-20210209.n.0 BaseOS aarch64 kernel: 4.18.0-283.el8 task: /kernel/filesystems/nfs/connectathon 3.0-94 selinux-policy: 3.14.3-62.el8.noarch job: https://beaker.engineering.redhat.com/recipes/9544329#task121729187 https://beaker-archive.host.prod.eng.bos.redhat.com/beaker-logs/2021/02/50837/5083732/9544329/121729187/569082869/avc.log Best, pbunyan This bz as well as its rhel 9 version bz#1923006 awaits information from subscription manager developers. Given the current state of RHEL 8.4, impact or justification would be helpful for possible inclusion decision. Chris, The node_bind SELinux permission is requested for rhsmcertd-worker in current RHEL 8 and 9, but it was not needed until recently. Did something change in this service which requires the permission? With subscription-manager-1.27.18-1.el8_3 now GA via RHBA-2021:0566 ... this issue is impacting customers. # rpm -qf /bin/rhsmcertd subscription-manager-1.27.18-1.el8_3.x86_64 # ausearch --input-logs --message avc,user_avc,avc_path --success no --format text At 05:19:22 02/17/2021 system, acting as root, unsuccessfully accessed-mac-policy-controlled-object using /usr/libexec/platform-python3.6 # ausearch --input-logs --message avc,user_avc,avc_path --success no ---- time->Wed Feb 17 05:19:22 2021 type=PROCTITLE msg=audit(1613560762.896:7143): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002F7573722F6C6962657865632F7268736D63657274642D776F726B6572 type=SYSCALL msg=audit(1613560762.896:7143): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=7fff2b035c50 a2=1c a3=31 items=0 ppid=1273 pid=42572 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:rhsmcertd_t:s0 key=(null) type=AVC msg=audit(1613560762.896:7143): avc: denied { node_bind } for pid=42572 comm="rhsmcertd-worke" saddr=::1 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket permissive=0 I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/598 (In reply to Zdenek Pytela from comment #12) > James, > > In the kbase, there are 2 different and likely independent issues described. > The first one, for running kpatch, is in RHEL 8.3 since GA. The other, for > binding to ::1, could be a result of some subscription manager update (not > confirmed by maintainers yet). > > While workaround for the latter is correct, for the former one is not > sufficient. Other than formatting, all I did was add following today for the work-around... # echo "(allow rhsmcertd_t node_t (tcp_socket (node_bind)))" >> rhsmcertd_execute_kpatch.cil And they may be unrelated, but they were both noted in the original BZ 1895322 and both AVC for same rpm (even same binary) in RHEL 8.3 *** Bug 1930447 has been marked as a duplicate of this bug. *** This AVC is related to IPv6 kernel module and it can happen on any machine where the IPv6 is disabled. Please see the discussion in https://bugzilla.redhat.com/show_bug.cgi?id=1931450 Thanks for the information! I also found another similar bug https://bugzilla.redhat.com/show_bug.cgi?id=1926256 I'll follow this issue from that bugs and now cancel my needinfo flag. *** Bug 1930920 has been marked as a duplicate of this bug. *** > Zdenek Pytela 2021-02-18 08:10:29 UTC > Status: POST → MODIFIED > Ondrej Mosnacek 2021-02-18 10:31:36 UTC > Keywords: AutoVerified > errata-xmlrpc 2021-02-18 10:48:11 UTC > Status: MODIFIED → ON_QA > Milos Malik 2021-02-18 10:52:51 UTC > Status: ON_QA → VERIFIED Kindly, what is the actual state of this bug? (In reply to yuk from comment #31) > > Zdenek Pytela 2021-02-18 08:10:29 UTC > > Status: POST → MODIFIED > > > Ondrej Mosnacek 2021-02-18 10:31:36 UTC > > Keywords: AutoVerified > > > errata-xmlrpc 2021-02-18 10:48:11 UTC > > Status: MODIFIED → ON_QA > > > Milos Malik 2021-02-18 10:52:51 UTC > > Status: ON_QA → VERIFIED > > Kindly, what is the actual state of this bug? Bug is in VERIFIED state = This bug fix has successfully finished testing by the Assigned Quality Engineer. Fix should be present in next minor update (rhel-8.4). Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1639 *** Bug 2015216 has been marked as a duplicate of this bug. *** |