Bug 1930920
Summary: | /usr/libexec/rhsmcertd-worker (rhsmcertd_t) tries node_t:tcp_socket node_bind | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Robert Scheck <redhat-bugzilla> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 8.3 | CC: | cchouhan, filbar, jhnidek, lvrabec, mmalik, nixuser, peter.vreman, plautrba, redakkan, robert.scheck, ssekidde |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | No Doc Update | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-03-11 16:14:27 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Robert Scheck
2021-02-19 19:18:49 UTC
Cross-filed case 02874310 at the Red Hat customer portal. Meanwhile we're getting flooded by these messages from about every RHEL system after the latest updates - even there was no hiccup regarding the network connectivity: grep subscription-manager /var/log/*dnf*: /var/log/dnf.rpm.log:2021-02-22T08:43:11Z SUBDEBUG Upgrade: dnf-plugin-subscription-manager-1.27.18-1.el8_3.x86_64 /var/log/dnf.rpm.log:2021-02-22T08:43:11Z SUBDEBUG Upgrade: subscription-manager-rhsm-certificates-1.27.18-1.el8_3.x86_64 /var/log/dnf.rpm.log:2021-02-22T08:43:11Z SUBDEBUG Upgrade: python3-subscription-manager-rhsm-1.27.18-1.el8_3.x86_64 /var/log/dnf.rpm.log:2021-02-22T08:43:11Z SUBDEBUG Upgrade: subscription-manager-1.27.18-1.el8_3.x86_64 /var/log/dnf.rpm.log:2021-02-22T08:44:08Z SUBDEBUG Upgraded: subscription-manager-1.27.16-1.el8.x86_64 /var/log/dnf.rpm.log:2021-02-22T08:44:08Z SUBDEBUG Upgraded: python3-subscription-manager-rhsm-1.27.16-1.el8.x86_64 /var/log/dnf.rpm.log:2021-02-22T08:44:08Z SUBDEBUG Upgraded: subscription-manager-rhsm-certificates-1.27.16-1.el8.x86_64 /var/log/dnf.rpm.log:2021-02-22T08:44:08Z SUBDEBUG Upgraded: dnf-plugin-subscription-manager-1.27.16-1.el8.x86_64 /var/log/audit/audit.log: type=AVC msg=audit(1613992383.227:110048): avc: denied { node_bind } for pid=790844 comm="rhsmcertd-worke" saddr=::1 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket permissive=0 /var/log/rhsm/rhsmcertd.log: Mon Feb 22 12:13:19 2021 [INFO] (Cert Check) Certificates updated. /var/log/rhsm/rhsm.log: 2021-02-22 12:13:05,533 [INFO] rhsmcertd-worker:790844:MainThread @entcertlib.py:131 - certs updated: Total updates: 0 Found (local) serial# [<removed>] Expected (UEP) serial# [<removed>] Added (new) <NONE> Deleted (rogue): <NONE> 2021-02-22 12:13:10,725 [WARNING] rhsmcertd-worker:790844:MainThread @dmiinfo.py:130 - Error reading system DMI information: # SMBIOS implementations newer than version 2.7 are not # fully supported by this version of dmidecode. NoneType: None 2021-02-22 12:13:10,924 [WARNING] rhsmcertd-worker:790844:MainThread @dmiinfo.py:130 - Error reading system DMI information: # SMBIOS implementations newer than version 2.7 are not # fully supported by this version of dmidecode. NoneType: None 2021-02-22 12:13:12,471 [INFO] rhsmcertd-worker:790844:MainThread @factlib.py:100 - Facts have been updated. Cross-filed case 02881290 at the Red Hat customer portal (other customer). I can reproduce this issue on Fedora and RHEL8. When I build and use rhsmcertd SELinux module from master branch at https://github.com/fedora-selinux/selinux-policy using: [root@localhost contrib]# make -f /usr/share/selinux/devel/Makefile rhsmcertd.pp [root@localhost contrib]# semodule -i rhsmcertd.pp libsemanage.semanage_direct_install_info: Overriding rhsmcertd module at lower priority 100 with module at priority 400. [root@localhost contrib]# semodule -r rhsmcertd libsemanage.semanage_direct_remove_key: rhsmcertd module at priority 100 is now active. Then the SELinux issue is fixed. Not sure what exactly fixed this issue (probably this rule corenet_tcp_bind_generic_node(rhsmcertd_t) in following PR: https://github.com/fedora-selinux/selinux-policy/pull/598 Master branch of selinux-policy cannot be applied to RHEL8. It will be necessary to backport this to RHEL8. There is workaround for RHEL8: Create fix_rhsmcertd.te with following content: module foo 1.0; require { type node_t; type rhsmcertd_t; class tcp_socket node_bind; } #============= rhsmcertd_t ============== allow rhsmcertd_t node_t:tcp_socket node_bind; [root@localhost]# make -f /usr/share/selinux/devel/Makefile fix_rhsmcertd.pp [root@localhost]# semodule -i fix_rhsmcertd.pp The permission has already been added to the policy and the fix should be a part of RHEL 8.4 GA. *** This bug has been marked as a duplicate of bug 1923985 *** *** Bug 1932158 has been marked as a duplicate of this bug. *** |