Bug 516073

Summary: avc: denied { setpgid } for comm="gogo.pl"
Product: Red Hat Satellite 5 Reporter: Milan Zázrivec <mzazrivec>
Component: ServerAssignee: Jan Pazdziora (Red Hat) <jpazdziora>
Status: CLOSED CURRENTRELEASE QA Contact: wes hayutin <whayutin>
Severity: medium Docs Contact:
Priority: low    
Version: 530CC: cperry, tlestach, whayutin
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sat530 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-10 19:12:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 457079    

Description Milan Zázrivec 2009-08-06 15:45:53 UTC 
Description of problem:
* Satellite 5.3.0 installation on RHEL-5 with selinux enabled
* activated monitoring + monitoring scout

Following selinux denial is found in audit.log:
type=AVC msg=audit(1249571377.161:25): avc:  denied  { setpgid }
for  pid=2197 comm="gogo.pl"
scontext=system_u:system_r:spacewalk_monitoring_t:s0
tcontext=system_u:system_r:spacewalk_monitoring_t:s0 tclass=process

Version-Release number of selected component (if applicable):
spacewalk-monitoring-selinux-0.5.7-9.el5sat
ProgAGoGo-1.11.5-2.el5sat

How reproducible:
Always

Steps to Reproduce:
1. Install Satellite 5.3.0 on rhel5 with selinux enabled
2. Enable monitoring & monitoring scout
3. Watch /var/log/audit/audit.log
  
Actual results:
See denial message above.

Expected results:
No denials.

Additional info:
bug #513368
spacewalk.git master, commit 172090659d5a0b6cba91299617794e369672ace4
Comment 1 Jan Pazdziora (Red Hat) 2009-08-10 07:27:52 UTC 
Actually, the problem is not present in 5.2.0, it was introduced by me with the 17209... commit. Putting to triage for 5.3.0, it should be easy to add that one allow and have spacewalk-monitoring-selinux package respinned.
Comment 2 Clifford Perry 2009-08-10 14:35:45 UTC 
Approved for 530.
Comment 3 Jan Pazdziora (Red Hat) 2009-08-10 15:07:44 UTC 
Fixed in Spacewalk repo, master 08972b855f53289a9ff28541bf72948145b0242b, VADER 36a6b27d2071c0ab1bb87ecd0b00c00e130841b6.
Comment 4 wes hayutin 2009-08-17 15:46:28 UTC 
not sure why this was transferred to me
Comment 5 Brandon Perkins 2009-08-17 19:39:16 UTC 
(In reply to comment #4)
> not sure why this was transferred to me  

Because its an SELinux issue, which you were the primary QA contact for, and that you have zero ON_QA bugs right now and we need to get all ON_QA bugs verified or failed today.  Is there something specific about the bug that makes it more suited to another engineer?
Comment 7 wes hayutin 2009-08-18 16:38:05 UTC 
installed satellite 530 build 8/17 on rhel 5.4 w/ selinux enforcing
install - no denials
enable monitoring -restart - no denials

I got to this anyway :P

verified
Comment 8 Tomas Lestach 2009-08-25 15:12:26 UTC 
Enabling monitoring & monitoring scout on stage sat 5.3.0 with selinux set to permissive.

No avc denials in /var/log/audit/audit.log.

Stage validated -> RELEASE_PENDING
Comment 9 Brandon Perkins 2009-09-10 19:12:51 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html