Bug 494909

Summary: Monitoring, scout config push never completes if SELinux is enforcing
Product: Red Hat Satellite 5 Reporter: wes hayutin <whayutin>
Component: MonitoringAssignee: Miroslav Suchý <msuchy>
Status: CLOSED CURRENTRELEASE QA Contact: wes hayutin <whayutin>
Severity: medium Docs Contact:
Priority: low    
Version: 530CC: bperkins, cperry, msuchy, mzazrivec
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://riverraid.rhndev.redhat.com/network/monitoring/scout/index.pxt
Whiteboard:
Fixed In Version: sat530 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-10 18:15:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 457079, 463877, 486216    
Attachments:
Description Flags
audit.log none

Description wes hayutin 2009-04-08 16:51:22 UTC
Description of problem:
Satellite-5.3.0-RHEL5-re20090403.2-i386-embedded-oracle.iso

Monitoring, scout config push never completes if SELinux is enforcing.
The *very* odd thing is that nothing is logged to the audit.log, so I guess it may *not* be a denial problem.  This is an odd bug and I am not quite sure what exactly is going on.


recreate:
Turn SELinux to permissive:

setup monitoring:
Server:
1. Login as Sat admin
2. Enable Monitoring,  under Admin -> Spacewalk/RHN Configuration, check Enable Monitoring, click Update
3. Enable Monitoring Scout, under Admin -> Spacewalk/RHN Configuration -> Monitoring, check Enable Monitoring Scout, click Update Config
4. Restart Spacewalk/RHN Satellite
5. Make sure /etc/init.d/Monitoring is started
6. From the server, su - nocpulse, scp the .ssh/nocpulse-identity.pub root@client:/tmp 
7. This same key can also be found at Monitoring -> Scout Config Push -> RHN Monitoring Satellite

Client:
5. Register a client, enable monitoring on the client
6. Alter system channel membership to include RHN Network Tools
7. Install rhnmd package on client and do service rhnmd start.
8. On the client, su - nocpulse, cat /tmp/nocpulse-identity.pub >> /opt/nocpulse/.ssh/authorized_keys
8.1 (SAT 5.3 CHANGE) On the client, su - nocpulse, cat /tmp/nocpulse-identity.pub >> /var/lib/nocpulse/.ssh/authorized_keys
9. restart the rhnmd, /etc/init.d/rhnmd restart 

10. Go into the webui and push the scout config.
should work successfully.

Now:
Turn SELinux back on to enforcing
11. push the scout config again.

Results:
The scout config push never completes
AND
Nothing is logged to audit.log
very odd...

Expected Results:
Either the scout config push works, OR we get a denial or message in audit.log

Comment 1 Miroslav Suchý 2009-04-10 08:33:45 UTC
Jan,
can you please investigate this issue? I know that some events are not logged to audit.log, can you elaborate it?

Comment 2 Jan Pazdziora 2009-04-10 08:54:19 UTC
If there is nothing in audit.log, it's unlikely to be SELinux related.

Comment 3 Jan Pazdziora 2009-04-10 08:57:12 UTC
I just tried Scout push with spacewalk-monitoring-selinux-0.6.2-1 which fixes a couple of true SELinux bugs, and the push proceeds just fine, adding new probe, and the probe then starts to show the current state.

Please advise if you want the bugzilla back for general investigation or monitoring oddity, or if I should just move it ON_QA.

Comment 4 Miroslav Suchý 2009-04-10 09:28:48 UTC
OK. Please can you tried it again with new ISO? 
Jan - you can move it on ON_QA once new ISO will rolled out.

Comment 5 Jan Pazdziora 2009-04-15 07:16:36 UTC
Moving ON_QA, with the latest ISO Satellite-5.3.0-RHEL?-re20090414.0.

Comment 6 wes hayutin 2009-04-15 19:56:18 UTC
NICE!!!!
monitoring is working..
verified :)

Comment 7 wes hayutin 2009-06-02 12:20:50 UTC
this is failing in 5/29 build..

Comment 8 wes hayutin 2009-06-02 12:22:19 UTC
Created attachment 346243 [details]
audit.log

Comment 10 Miroslav Suchý 2009-06-09 15:40:01 UTC
This should have been fixed by my commit 249f66e71268a8f05ee376c989a51d1cdc719bce in https://bugzilla.redhat.com/show_bug.cgi?id=498611#c4

Comment 11 Miroslav Suchý 2009-06-12 12:59:46 UTC
compose 20090612
moving ON_QA

Comment 12 wes hayutin 2009-06-15 20:20:48 UTC
verified 6/12.1 
 	1 - 1 of 1 (0 selected)    	   
	Config Status 	Scout Name 	Last Request 	Completed
	Ok 	RHN Satellite Monitoring Scout 	2009-06-15 04:14:19 PM EDT 	2009-06-15 04:15:18 PM EDT

Comment 13 Milan Zázrivec 2009-09-02 14:36:25 UTC
Verified in stage -> RELEASE_PENDING

Comment 14 Brandon Perkins 2009-09-10 18:15:31 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html