Bug 1930920
| Summary: | /usr/libexec/rhsmcertd-worker (rhsmcertd_t) tries node_t:tcp_socket node_bind | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Robert Scheck <redhat-bugzilla> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.3 | CC: | cchouhan, filbar, jhnidek, lvrabec, mmalik, nixuser, peter.vreman, plautrba, redakkan, robert.scheck, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-03-11 16:14:27 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Cross-filed case 02874310 at the Red Hat customer portal. Meanwhile we're getting flooded by these messages from about every RHEL system after the latest updates - even there was no hiccup regarding the network connectivity:
grep subscription-manager /var/log/*dnf*:
/var/log/dnf.rpm.log:2021-02-22T08:43:11Z SUBDEBUG Upgrade: dnf-plugin-subscription-manager-1.27.18-1.el8_3.x86_64
/var/log/dnf.rpm.log:2021-02-22T08:43:11Z SUBDEBUG Upgrade: subscription-manager-rhsm-certificates-1.27.18-1.el8_3.x86_64
/var/log/dnf.rpm.log:2021-02-22T08:43:11Z SUBDEBUG Upgrade: python3-subscription-manager-rhsm-1.27.18-1.el8_3.x86_64
/var/log/dnf.rpm.log:2021-02-22T08:43:11Z SUBDEBUG Upgrade: subscription-manager-1.27.18-1.el8_3.x86_64
/var/log/dnf.rpm.log:2021-02-22T08:44:08Z SUBDEBUG Upgraded: subscription-manager-1.27.16-1.el8.x86_64
/var/log/dnf.rpm.log:2021-02-22T08:44:08Z SUBDEBUG Upgraded: python3-subscription-manager-rhsm-1.27.16-1.el8.x86_64
/var/log/dnf.rpm.log:2021-02-22T08:44:08Z SUBDEBUG Upgraded: subscription-manager-rhsm-certificates-1.27.16-1.el8.x86_64
/var/log/dnf.rpm.log:2021-02-22T08:44:08Z SUBDEBUG Upgraded: dnf-plugin-subscription-manager-1.27.16-1.el8.x86_64
/var/log/audit/audit.log:
type=AVC msg=audit(1613992383.227:110048): avc: denied { node_bind } for pid=790844 comm="rhsmcertd-worke" saddr=::1 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket permissive=0
/var/log/rhsm/rhsmcertd.log:
Mon Feb 22 12:13:19 2021 [INFO] (Cert Check) Certificates updated.
/var/log/rhsm/rhsm.log:
2021-02-22 12:13:05,533 [INFO] rhsmcertd-worker:790844:MainThread @entcertlib.py:131 - certs updated:
Total updates: 0
Found (local) serial# [<removed>]
Expected (UEP) serial# [<removed>]
Added (new)
<NONE>
Deleted (rogue):
<NONE>
2021-02-22 12:13:10,725 [WARNING] rhsmcertd-worker:790844:MainThread @dmiinfo.py:130 - Error reading system DMI information: # SMBIOS implementations newer than version 2.7 are not
# fully supported by this version of dmidecode.
NoneType: None
2021-02-22 12:13:10,924 [WARNING] rhsmcertd-worker:790844:MainThread @dmiinfo.py:130 - Error reading system DMI information: # SMBIOS implementations newer than version 2.7 are not
# fully supported by this version of dmidecode.
NoneType: None
2021-02-22 12:13:12,471 [INFO] rhsmcertd-worker:790844:MainThread @factlib.py:100 - Facts have been updated.
Cross-filed case 02881290 at the Red Hat customer portal (other customer). I can reproduce this issue on Fedora and RHEL8. When I build and use rhsmcertd SELinux module from master branch at https://github.com/fedora-selinux/selinux-policy using: [root@localhost contrib]# make -f /usr/share/selinux/devel/Makefile rhsmcertd.pp [root@localhost contrib]# semodule -i rhsmcertd.pp libsemanage.semanage_direct_install_info: Overriding rhsmcertd module at lower priority 100 with module at priority 400. [root@localhost contrib]# semodule -r rhsmcertd libsemanage.semanage_direct_remove_key: rhsmcertd module at priority 100 is now active. Then the SELinux issue is fixed. Not sure what exactly fixed this issue (probably this rule corenet_tcp_bind_generic_node(rhsmcertd_t) in following PR: https://github.com/fedora-selinux/selinux-policy/pull/598 Master branch of selinux-policy cannot be applied to RHEL8. It will be necessary to backport this to RHEL8. There is workaround for RHEL8: Create fix_rhsmcertd.te with following content: module foo 1.0; require { type node_t; type rhsmcertd_t; class tcp_socket node_bind; } #============= rhsmcertd_t ============== allow rhsmcertd_t node_t:tcp_socket node_bind; [root@localhost]# make -f /usr/share/selinux/devel/Makefile fix_rhsmcertd.pp [root@localhost]# semodule -i fix_rhsmcertd.pp The permission has already been added to the policy and the fix should be a part of RHEL 8.4 GA. *** This bug has been marked as a duplicate of bug 1923985 *** *** Bug 1932158 has been marked as a duplicate of this bug. *** |
Description of problem: type=AVC msg=audit(1613749791.671:84): avc: denied { node_bind } for pid=931 comm="rhsmcertd-worke" saddr=::1 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket permissive=0 type=SYSCALL msg=audit(1613749791.671:84): arch=x86_64 syscall=bind success=no exit=EACCES a0=4 a1=7ffd52ab7900 a2=1c a3=31 items=0 ppid=674 pid=931 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rhsmcertd-worke exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:rhsmcertd_t:s0 key=(null) Version-Release number of selected component (if applicable): platform-python-3.6.8-31.el8.x86_64 subscription-manager-1.27.18-1.el8_3.x86_64 selinux-policy-targeted-3.14.3-54.el8_3.2.noarch How reproducible: Not sure, just happened while no administrative tasks were performed. Likely caused because there was some Internet access interruption, but this IMHO still should not lead to such a SELinux denial message. Actual results: /usr/libexec/rhsmcertd-worker (rhsmcertd_t) tries node_t:tcp_socket node_bind Expected results: Allow or dontaudit, whatever is suitable. Or fix subscription-manager code. Additional info: /var/log/rhsm/rhsmcertd.log: Fri Feb 19 16:49:52 2021 [WARN] (Cert Check) Update failed (255), retry will occur on next run. /var/log/rhsm/rhsm.log: 2021-02-19 16:49:51,897 [ERROR] rhsmcertd-worker:931:MainThread @rhsmcertd_worker.py:226 - Error while updating certificates using daemon 2021-02-19 16:49:51,898 [ERROR] rhsmcertd-worker:931:MainThread @rhsmcertd_worker.py:228 - [Errno 101] Network is unreachable Traceback (most recent call last): File "/usr/lib64/python3.6/site-packages/subscription_manager/scripts/rhsmcertd_worker.py", line 217, in main _main(options, log) File "/usr/lib64/python3.6/site-packages/subscription_manager/scripts/rhsmcertd_worker.py", line 151, in _main cp.supports_resource(None) # pre-load supported resources; serves as a way of failing before locking the repos File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 975, in supports_resource self._load_supported_resources() File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 952, in _load_supported_resources resources_list = self.conn.request_get("/") File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 882, in request_get return self._request("GET", method, headers=headers, cert_key_pairs=cert_key_pairs) File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 908, in _request info=info, headers=headers, cert_key_pairs=cert_key_pairs) File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 706, in _request conn.request(request_type, handler, body=body, headers=final_headers) File "/usr/lib64/python3.6/http/client.py", line 1254, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1300, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1249, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/lib64/python3.6/http/client.py", line 1036, in _send_output self.send(msg) File "/usr/lib64/python3.6/http/client.py", line 974, in send self.connect() File "/usr/lib64/python3.6/http/client.py", line 1414, in connect super().connect() File "/usr/lib64/python3.6/http/client.py", line 946, in connect (self.host,self.port), self.timeout, self.source_address) File "/usr/lib64/python3.6/socket.py", line 724, in create_connection raise err File "/usr/lib64/python3.6/socket.py", line 713, in create_connection sock.connect(sa) OSError: [Errno 101] Network is unreachable