Bug 500330
Summary: | node_bind denials for comm={Monitoring, upload_results} tcontext=lo_node_t tclass=udp_socket | ||
---|---|---|---|
Product: | Red Hat Satellite 5 | Reporter: | Milan Zázrivec <mzazrivec> |
Component: | Server | Assignee: | Jan Pazdziora <jpazdziora> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | wes hayutin <whayutin> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 530 | CC: | bbuckingham, cperry |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | sat530 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-09-10 18:49:41 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 457079, 463877 |
Description
Milan Zázrivec
2009-05-12 10:04:23 UTC
Command # runcon -t spacewalk_monitoring_t -- perl -MDBI -e 'DBI->connect("dbi:Oracle:rhnsat", "rhnsat", "rhnsat", { RaiseError => 1 });' generates the AVC on s390x while it does not on i386. The syscall is bind(3, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("127.0.0.1")}, 16) = 0 I'm trying to figure out what's different on s390x vs. i386. The problems stems from the fact that on s390x, the tcontext is lo_node_t: type=AVC msg=audit(1243501001.030:2467): avc: denied { node_bind } for pid=3344 comm="test-bind-0" saddr=127.0.0.1 scontext=root:system_r:test_bind_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lo_node_t:s0 tclass=udp_socket while on i386 it's node_t: type=AVC msg=audit(1243497648.065:717): avc: denied { node_bind } for pid=25329 comm="test-bind-0" saddr=127.0.0.1 scontext=root:system_r:test_bind_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket corenet_udp_bind_all_nodes(spacewalk_monitoring_t) was added in cf44bdce656294f4181424b6843366258eda428a for bug 498930, so that addresses that type=AVC msg=audit(1242054323.116:367): avc: denied { node_bind } for pid=27887 comm="Monitoring" saddr=127.0.0.1 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:lo_node_t:s0 tclass=udp_socket denial. The httpd_sys_script_t denial fixed in commit c8588264c801e5cddaa288e8ef17ae839ff32e7e. [root@grandprix audit]# cat audit.log | grep httpd_sys [root@grandprix audit]# cat audit.log | grep test-bind-0 [root@grandprix audit]# cat audit.log | grep upload_results [root@grandprix audit]# cat audit.log | grep Monitoring [root@grandprix audit]# verified Verified in stage -> RELEASE_PENDING An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1434.html |