Bug 500330

Summary: node_bind denials for comm={Monitoring, upload_results} tcontext=lo_node_t tclass=udp_socket
Product: Red Hat Satellite 5 Reporter: Milan Zázrivec <mzazrivec>
Component: ServerAssignee: Jan Pazdziora <jpazdziora>
Status: CLOSED CURRENTRELEASE QA Contact: wes hayutin <whayutin>
Severity: medium Docs Contact:
Priority: low    
Version: 530CC: bbuckingham, cperry
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sat530 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-10 18:49:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 457079, 463877    

Description Milan Zázrivec 2009-05-12 10:04:23 UTC 
Description of problem:
Satellite-5.3.0-RHEL5-re20090507.1 installation on s390x / RHEL-5, monitoring &
monitoring scout enabled, selinux enabled:

# grep 'denied.*node_bind' audit.log 
type=AVC msg=audit(1242054323.116:367): avc:  denied  { node_bind }
for  pid=27887 comm="Monitoring" saddr=127.0.0.1
scontext=root:system_r:spacewalk_monitoring_t:s0
tcontext=system_u:object_r:lo_node_t:s0 tclass=udp_socket
type=AVC msg=audit(1242117348.626:800): avc:  denied  { node_bind }
for  pid=1540 comm="upload_results." saddr=127.0.0.1
scontext=root:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:lo_node_t:s0 tclass=udp_socket

Version-Release number of selected component (if applicable):
oracle-nofcontext-selinux-0.1-23.8.1.el5sat
spacewalk-monitoring-selinux-0.5.7-2.el5sat

How reproducible:
Always

Steps to Reproduce:
1. Install Satellite 5.3.0 on RHEL-5, selinux enabled.
2. Activate monitoring + monitoring scout
3. Watch /var/log/audit/audit.log
  
Actual results:
SELinux denials

Expected results:
No denials.

Additional info:
N/A
Comment 1 Jan Pazdziora 2009-05-27 14:57:15 UTC 
Command

# runcon -t spacewalk_monitoring_t -- perl -MDBI -e 'DBI->connect("dbi:Oracle:rhnsat", "rhnsat", "rhnsat", { RaiseError => 1 });'

generates the AVC on s390x while it does not on i386. The syscall is

bind(3, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("127.0.0.1")}, 16) = 0

I'm trying to figure out what's different on s390x vs. i386.
Comment 2 Jan Pazdziora 2009-05-28 09:04:30 UTC 
The problems stems from the fact that on s390x, the tcontext is lo_node_t:

type=AVC msg=audit(1243501001.030:2467): avc:  denied  { node_bind } for  pid=3344 comm="test-bind-0" saddr=127.0.0.1
scontext=root:system_r:test_bind_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lo_node_t:s0 tclass=udp_socket

while on i386 it's node_t:

type=AVC msg=audit(1243497648.065:717): avc:  denied  { node_bind } for  pid=25329 comm="test-bind-0" saddr=127.0.0.1 scontext=root:system_r:test_bind_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket
Comment 3 Jan Pazdziora 2009-05-28 09:43:54 UTC 
corenet_udp_bind_all_nodes(spacewalk_monitoring_t) was added in cf44bdce656294f4181424b6843366258eda428a for bug 498930, so that addresses that

type=AVC msg=audit(1242054323.116:367): avc:  denied  { node_bind }
for  pid=27887 comm="Monitoring" saddr=127.0.0.1
scontext=root:system_r:spacewalk_monitoring_t:s0
tcontext=system_u:object_r:lo_node_t:s0 tclass=udp_socket

denial.
Comment 4 Jan Pazdziora 2009-05-28 09:51:38 UTC 
The httpd_sys_script_t denial fixed in commit c8588264c801e5cddaa288e8ef17ae839ff32e7e.
Comment 5 wes hayutin 2009-06-04 13:36:47 UTC 
[root@grandprix audit]# cat audit.log | grep httpd_sys
[root@grandprix audit]# cat audit.log | grep test-bind-0
[root@grandprix audit]# cat audit.log | grep upload_results
[root@grandprix audit]# cat audit.log | grep Monitoring
[root@grandprix audit]# 

verified
Comment 6 Milan Zázrivec 2009-09-02 12:52:36 UTC 
Verified in stage -> RELEASE_PENDING
Comment 7 Brandon Perkins 2009-09-10 18:49:41 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html