Bug 498974
| Summary: | SELinux errors, prevent clients from registering to a sat proxy | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Satellite 5 | Reporter: | wes hayutin <whayutin> | ||||||||
| Component: | Server | Assignee: | Jan Pazdziora <jpazdziora> | ||||||||
| Status: | CLOSED DUPLICATE | QA Contact: | wes hayutin <whayutin> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | low | ||||||||||
| Version: | 530 | CC: | bperkins | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| URL: | na | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2009-05-05 14:01:18 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 457079 | ||||||||||
| Attachments: |
|
||||||||||
these selinux errors cause a failure in client registration.. [root@dhcp77-132 rhn]# rhnreg_ks --username=admin --pass=dog8code --serverUrl=http://dhcp77-103.rhndev.redhat.com/XMLRPC --force --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT An error has occurred: Error Message: RHN Proxy error (auth caching issue). Please contact your system administrator. Error Class Code: 1000 Error Class Info: RHN Proxy error. Explanation: An error has occurred while processing your request. If this problem persists please enter a bug report at bugzilla.redhat.com. If you choose to submit the bug report, please be sure to include details of what you were trying to do when this error occurred and details on how to reproduce this problem. turn selinux to permissive on the server... [root@dhcp77-132 rhn]# rhnreg_ks --username=admin --pass=dog8code --serverUrl=http://dhcp77-103.rhndev.redhat.com/XMLRPC --force --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT [root@dhcp77-132 rhn]# and registration works Created attachment 342330 [details]
traceback txt
The SELinux output shows that the type (tcontext) of /usr/lib/oracle/10.2.0.4/client/lib/libnnz10.so is lib_t, not textrel_shlib_t as it should be. Since the file is owned by oracle-instantclient-basic-10.2.0-36.el5sat.i386.rpm and oracle-instantclient-basic is Required by oracle-instantclient-selinux, I wonder how the file ended up mis-labeled. Can you confirm that the package version is oracle-instantclient-selinux-10.2-8.el5sat.noarch.rpm? Is there anything suspicious in rhn-installation.log? What does restorecon -nvv /usr/lib/oracle/10.2.0.4/client/lib/libnnz10.so report? [root@grandprix audit]# rpm -q oracle-instantclient-selinux oracle-instantclient-selinux-10.2-8.el5sat [root@grandprix audit]# [root@grandprix audit]# restorecon -nvv /usr/lib/oracle/10.2.0.4/client/lib/libnnz10.so restorecon -nvv [root@grandprix audit]# restorecon -nvv /usr/lib/oracle/10.2.0.4/client/lib/libnnz10.so returned no output. Created attachment 342455 [details]
installation-log
So I also assume that # ls -lZ /usr/lib/oracle/10.2.0.4/client/lib/libnnz10.so shows textrel_shlib_t, not lib_t, right? As the installation log shows that the type was set to textrel_shlib_t. Are you sure that you see the execmod on /usr/lib/oracle/10.2.0.4/client/lib/libnnz10.so errors shows in the initial attachment for the RHN Proxy activation and client registration? Because they are reported by scheduleEvents and kernel.pl, which is monitoring ... And besides, they suggest that the type of that libnnz10.so file is lib_t, which does not seem to be the case here. Aren't the AVC denials some older stuff? [root@grandprix audit]# ls -lZ /usr/lib/oracle/10.2.0.4/client/lib/libnnz10.so -rwxr-xr-x root root system_u:object_r:textrel_shlib_t /usr/lib/oracle/10.2.0.4/client/lib/libnnz10.so [root@grandprix audit]# In this case, the AVC denials from attachment 342328 [details] are not related to the activation / registration issues you see. My closest guess would be that this is duplicate of bug 497887. *** This bug has been marked as a duplicate of bug 497887 *** |
Created attachment 342328 [details] txt selinux errors Description of problem: sat 4/24.1 build rhel 5, proxy 5.3 webui installer , rhel 5 client proxy recreate 1. register rhel 5 client 2. install w/ webui proxy 5.3 3. tail the audit.log during the install notice everything is working, w/ success messages right when the install finishes.. you get the following selinux errors..