Bug 498930

Summary: SELinux, monitoring Network Services, RPC probe selinux error
Product: Red Hat Satellite 5 Reporter: wes hayutin <whayutin>
Component: ServerAssignee: Jan Pazdziora <jpazdziora>
Status: CLOSED CURRENTRELEASE QA Contact: wes hayutin <whayutin>
Severity: medium Docs Contact:
Priority: low    
Version: 530CC: bbuckingham, bperkins, cperry, mzazrivec
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: na
Whiteboard:
Fixed In Version: sat530 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-10 18:49:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 457079, 463877    

Description wes hayutin 2009-05-04 14:14:06 UTC 
Description of problem:

4/24.1 build rhel 5

getting selinux errors while running network services rpc probe

type=AVC msg=audit(1241445896.523:13465): avc:  denied  { execute } for  pid=31382 comm="sh" name="rpcinfo" dev=dm-0 ino=3931776 scontext=user_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=AVC msg=audit(1241445896.523:13465): avc:  denied  { execute_no_trans } for  pid=31382 comm="sh" path="/usr/sbin/rpcinfo" dev=dm-0 ino=3931776 scontext=user_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=AVC msg=audit(1241445896.523:13465): avc:  denied  { read } for  pid=31382 comm="sh" path="/usr/sbin/rpcinfo" dev=dm-0 ino=3931776 scontext=user_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=SYSCALL msg=audit(1241445896.523:13465): arch=40000003 syscall=11 success=yes exit=0 a0=829af70 a1=829ad90 a2=829b028 a3=0 items=0 ppid=31377 pid=31382 auid=0 uid=103 gid=105 euid=103 suid=103 fsuid=103 egid=105 sgid=105 fsgid=105 tty=(none) ses=797 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=user_u:system_r:spacewalk_monitoring_t:s0 key=(null)


recreate:
1. setup monitoring and probes
2. create network services probe, using nfs
3. setup client w/ nfs
4. push scout config..
5. get selinux errors
Comment 1 wes hayutin 2009-05-04 14:17:53 UTC 
causes
Network Services: RPC Service   	 Unable to establish rpc connection to service nfs on host 10.10.76.146
Comment 2 Jan Pazdziora 2009-05-25 14:10:00 UTC 
There are two more AVC denials here:

type=AVC msg=audit(1241440704.859:750): avc:  denied  { name_bind } for  pid=5700 comm="rpcinfo" src=788 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1241440704.859:750): avc:  denied  { node_bind } for  pid=5700 comm="rpcinfo" src=788 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=udp_socket
Comment 3 Jan Pazdziora 2009-05-26 08:13:23 UTC 
Fix in Spacewalk repo master 785e6f144521a893a756f11b95282577763ba227 and cf44bdce656294f4181424b6843366258eda428a.
Comment 4 wes hayutin 2009-06-04 13:30:10 UTC 
verified
-bash-3.2$ rhn-runprobe --probe 173
2009-06-04 09:29:36 	Items changed or removed:
2009-06-04 09:29:36 		latency '0.266723' is OK
2009-06-04 09:29:36 		Unable to establish rpc connection to service nfs on host 10.10.77.159     '' is CRITICAL
2009-06-04 09:29:36 	Would notify because:
2009-06-04 09:29:36 		Unable to establish rpc connection to service nfs on host 10.10.77.159     '' is OK
2009-06-04 09:29:36 	NOTE: Running in test mode; no changes saved, nothing enqueued
2009-06-04 09:29:36 
============================================================
OK: RPC service nfs: Latency 0.267 sec
============================================================
Comment 5 Milan Zázrivec 2009-09-02 12:56:27 UTC 
Verified in stage -> RELEASE_PENDING
Comment 6 Brandon Perkins 2009-09-10 18:49:35 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html