Bug 497887
Summary: | unable to register client via proxy | ||
---|---|---|---|
Product: | Red Hat Satellite Proxy 5 | Reporter: | wes hayutin <whayutin> |
Component: | Server | Assignee: | Tomas Lestach <tlestach> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Jan Pazdziora <jpazdziora> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 530 | CC: | bperkins, cperry, jpazdziora, psklenar |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | na | ||
Whiteboard: | |||
Fixed In Version: | sat530 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-10-28 19:29:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 456999, 457079 |
Description
wes hayutin
2009-04-27 18:03:18 UTC
looks like a selinux issue type=AVC msg=audit(1240839148.057:41): avc: denied { write } for pid=3348 comm="httpd" name="proxy-auth" dev=dm-0 ino=417963 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir type=SYSCALL msg=audit(1240839148.057:41): arch=40000003 syscall=5 success=no exit=-13 a0=983ee58 a1=80c1 a2=1a4 a3=80c1 items=0 ppid=3331 pid=3348 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1240839148.067:42): avc: denied { read } for pid=3475 comm="sendmail" path="eventpoll:[19693]" dev=eventpollfs ino=19693 scontext=root:system_r:system_mail_t:s0 tcontext=root:system_r:httpd_t:s0 tclass=file type=SYSCALL msg=audit(1240839148.067:42): arch=40000003 syscall=11 success=yes exit=0 a0=9767b90 a1=983ce70 a2=bfcd98ac a3=9718838 items=0 ppid=3348 pid=3475 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=51 sgid=51 fsgid=51 tty=(none) ses=2 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=root:system_r:system_mail_t:s0 key=(null) on the client get.. Error Message: RHN Proxy error (auth caching issue). Please contact your system administrator. Error Class Code: 1000 Error Class Info: RHN Proxy error. Explanation: An error has occurred while processing your request. If this problem persists please enter a bug report at bugzilla.redhat.com. If you choose to submit the bug report, please be sure to include details of what you were trying to do when this error occurred and details on how to reproduce this problem. See /var/log/up2date for more information *** Bug 498974 has been marked as a duplicate of this bug. *** So if SELinux is not allowing proxy auth to write tokens to /var/cache/rhn/ sounds like update to SELinux policy is needed. Going to Assign to Tomas for review. Cliff Tomáš agreed to work on this one, utilizing hit backup hat. Tomáš agreed to work on this one, utilizing his backup hat. The page https://fedorahosted.org/spacewalk/wiki/Features/SELinux will probably be rather helpful for him. What I did was: I synced redhat-rhn-proxy-5.3-server-i386-5 channel (from satellite.rhn.webqa.redhat.com) to my sat (Satellite-5.3.0-RHEL5-re20090520.0-i386). I took a fresh client install, set selinux to enforcing, then registered to sat, and installed a proxy v5.3 over WEBUI. I set another client to register to proxy and run # rhnreg_ks --user=<user> --password=<password> --force # echo $? 0 # I see my client registered to the sat over proxy on WEBUI. The selinux proxy-auth type looks also good: # ls -dZ /var/cache/rhn/proxy-auth/ drwxr-x--- apache root system_u:object_r:spacewalk_proxy_cache_t /var/cache/rhn/proxy-auth/ Are you sure you have a correct proxy installation? Could you provide me with more precise reproducer? And a file was successfully created in the proxy-auth directory: # ls -Z /var/cache/rhn/proxy-auth/ -rw-r--r-- apache apache root:object_r:spacewalk_proxy_cache_t p1000010121 ya.. this bug is already a month old, and I think is fixed.. moving to on_qa to retest With Proxy versions # rpm -qa | grep proxy rhn-proxy-branding-5.3.0.24-1.el5sat spacewalk-proxy-redirect-0.5.7-7.el5sat spacewalk-proxy-monitoring-0.4.4-3.el5sat spacewalk-proxy-installer-0.5.25-13.el5sat spacewalk-proxy-docs-0.4.1-2.el5sat spacewalk-proxy-common-0.5.7-7.el5sat spacewalk-proxy-package-manager-0.5.7-7.el5sat spacewalk-proxy-selinux-0.5.2-6.el5sat spacewalk-proxy-broker-0.5.7-7.el5sat spacewalk-proxy-management-0.5.7-7.el5sat activation of client went without problems, the new system record appeared in Satellite's WebUI in the list of systems and also in Proxy's Systems Using Proxy tab. The record(s) in proxy-auth were created OK: # ls -laZ /var/cache/rhn/proxy-auth/ drwxr-x--- apache root system_u:object_r:spacewalk_proxy_cache_t . drwxr-x--- apache root system_u:object_r:var_t .. -rw-r--r-- apache apache root:object_r:spacewalk_proxy_cache_t 1000010020 -rw-r--r-- apache apache root:object_r:spacewalk_proxy_cache_t p1000010000 Marking as VERIFIED. tried: RHN-Proxy-5.3.0-RHEL5-re20090820.0-x86_64 connected to Satellite-5.3.0-RHEL5-re20090820.1 == rhn-proxy == [root@xen70 ~]# getenforce Enforcing [root@xen70 ~]# rpm -qa | grep proxy spacewalk-proxy-monitoring-0.4.4-4.el5sat spacewalk-proxy-broker-0.5.7-10.el5sat spacewalk-proxy-management-0.5.7-10.el5sat rhn-proxy-branding-5.3.0.27-1.el5sat spacewalk-proxy-common-0.5.7-10.el5sat spacewalk-proxy-package-manager-0.5.7-10.el5sat spacewalk-proxy-redirect-0.5.7-10.el5sat spacewalk-proxy-docs-0.4.1-2.el5sat spacewalk-proxy-selinux-0.5.2-7.el5sat [root@xen70 ~]# ls -laZ /var/cache/rhn/proxy-auth/ drwxr-x--- apache root system_u:object_r:spacewalk_proxy_cache_t . drwxr-x--- apache root system_u:object_r:var_t .. -rw-r--r-- apache apache root:object_r:spacewalk_proxy_cache_t 1000010269 -rw-r--r-- apache apache root:object_r:spacewalk_proxy_cache_t 1000010424 -rw-r--r-- apache apache root:object_r:spacewalk_proxy_cache_t 1000010444 -rw-r--r-- apache apache root:object_r:spacewalk_proxy_cache_t p1000010404 == client == [root@dhcp-lab-234 ~]# rhnreg_ks --username=**** --pass=**** --serverUrl=http://xen70.englab.brq.redhat.com/XMLRPC --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT --force --profilename=through-proxy-2 [root@dhcp-lab-234 ~] rhn_register # :works # I could download many packages from satellite's channel # and system records were placed properly. moved to release_pending Closing bug. 530 is GA and we somehow missed this one to close. |