Bug 567879

Summary: rhnmd on client do not start because SELinux AVC denial
Product: Red Hat Satellite 5 Reporter: Jan Hutař <jhutar>
Component: OtherAssignee: Milan Zázrivec <mzazrivec>
Status: CLOSED DUPLICATE QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 540CC: cperry, jpazdziora, steven.ellis
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-04 13:45:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 462714    

Description Jan Hutař 2010-02-24 08:02:08 UTC 
Description of problem:
When I try to start rhnmd on updated F12 with SELinux in enforcing mode, it fails because some AVCs.


Version-Release number of selected component (if applicable):
rhnmd-5.3.5-1.fc12.noarch
selinux-policy-3.6.32-89.fc12.noarch
selinux-policy-targeted-3.6.32-89.fc12.noarch


How reproducible:
always


Steps to Reproduce:
1. ensure you are in enforcing with `getenforce`
2. ensure /var/lib/nocpulse/.ssh/* have right context with
   `restorecon -vR /var/lib/nocpulse/.ssh/`
3. # service rhnmd start


Actual results:
# service rhnmd start
Starting rhnmd:Could not load host key: /var/lib/nocpulse/.ssh/nocpulse-identity
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.
                                                           [FAILED]


Expected results:
# service rhnmd start
Starting rhnmd:                                            [  OK  ]


Additional info:
type=USER_START msg=audit(1266998428.734:345): user pid=6495 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="nocpulse" exe="/sbin/runuser" hostname=? addr=? terminal=pts/4 res=success'
type=CRED_ACQ msg=audit(1266998428.734:346): user pid=6495 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="nocpulse" exe="/sbin/runuser" hostname=? addr=? terminal=pts/4 res=success'
type=AVC msg=audit(1266998428.780:347): avc:  denied  { read } for  pid=6520 comm="rhnmd" name="nocpulse-identity" dev=dm-2 ino=548105 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1266998428.780:347): avc:  denied  { open } for  pid=6520 comm="rhnmd" name="nocpulse-identity" dev=dm-2 ino=548105 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1266998428.780:347): arch=c000003e syscall=2 success=yes exit=128 a0=7fe8adb86cb0 a1=0 a2=0 a3=8 items=0 ppid=6496 pid=6520 auid=500 uid=488 gid=472 euid=488 suid=488 fsuid=488 egid=472 sgid=472 fsgid=472 tty=(none) ses=1 comm="rhnmd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1266998428.780:348): avc:  denied  { getattr } for  pid=6520 comm="rhnmd" path="/var/lib/nocpulse/.ssh/nocpulse-identity" dev=dm-2 ino=548105 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1266998428.780:348): arch=c000003e syscall=5 success=yes exit=128 a0=3 a1=7fffe237a410 a2=7fffe237a410 a3=7fffe237a1a0 items=0 ppid=6496 pid=6520 auid=500 uid=488 gid=472 euid=488 suid=488 fsuid=488 egid=472 sgid=472 fsgid=472 tty=(none) ses=1 comm="rhnmd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=CRED_DISP msg=audit(1266998428.782:349): user pid=6495 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="nocpulse" exe="/sbin/runuser" hostname=? addr=? terminal=pts/4 res=success'
type=USER_END msg=audit(1266998428.782:350): user pid=6495 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="nocpulse" exe="/sbin/runuser" hostname=? addr=? terminal=pts/4 res=success'
type=USER_ACCT msg=audit(1266998461.331:351): user pid=6558 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1266998461.338:352): user pid=6558 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1266998461.338:353): login pid=6558 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=37
type=USER_START msg=audit(1266998461.351:354): user pid=6558 uid=0 auid=0 ses=37 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1266998461.490:355): user pid=6558 uid=0 auid=0 ses=37 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1266998461.491:356): user pid=6558 uid=0 auid=0 ses=37 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Comment 1 Jan Hutař 2010-02-24 08:14:08 UTC 
Sorry, it was SW09, not 08.
Comment 2 Jan Hutař 2010-02-24 08:14:24 UTC 
*** Bug 567880 has been marked as a duplicate of this bug. ***
Comment 5 Steven Ellis 2011-02-15 00:45:54 UTC 
I can confirm I have the same problem with a RHEL 6 host with SELinux set to enforcing.

To reproduce the problem

restorecon -vR /var/lib/nocpulse/.ssh/
service rhnmd restart
Stopping rhnmd:                                            [  OK  ]
Starting rhnmd:Could not load host key: /var/lib/nocpulse/.ssh/nocpulse-identity



Entries from /var/log/audit/audit.log

type=USER_START msg=audit(1297730287.001:4371): user pid=26683 uid=0 auid=0 ses=678 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="nocpulse" exe="/sbin/runuser" hostname=? addr=? terminal=pts/1 res=success'
type=CRED_ACQ msg=audit(1297730287.001:4372): user pid=26683 uid=0 auid=0 ses=678 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="nocpulse" exe="/sbin/runuser" hostname=? addr=? terminal=pts/1 res=success'
type=AVC msg=audit(1297730287.035:4373): avc:  denied  { read } for  pid=26685 comm="rhnmd" name="nocpulse-identity" dev=dm-0 ino=13272 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1297730287.035:4373): arch=c000003e syscall=2 success=no exit=-13 a0=7f8d02e27820 a1=0 a2=0 a3=8 items=0 ppid=26684 pid=26685 auid=0 uid=497 gid=497 euid=497 suid=497 fsuid=497 egid=497 sgid=497 fsgid=497 tty=(none) ses=678 comm="rhnmd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=CRED_DISP msg=audit(1297730287.039:4374): user pid=26683 uid=0 auid=0 ses=678 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="nocpulse" exe="/sbin/runuser" hostname=? addr=? terminal=pts/1 res=success'
type=USER_END msg=audit(1297730287.040:4375): user pid=26683 uid=0 auid=0 ses=678 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="nocpulse" exe="/sbin/runuser" hostname=? addr=? terminal=pts/1 res=success'
Comment 6 Steven Ellis 2011-02-15 00:53:15 UTC 
Also reference https://bugzilla.redhat.com/show_bug.cgi?id=594647 for a similar issue.


I needed to manually change the SELinux labels

chcon -R -t  sshd_key_t /var/lib/nocpulse/.ssh/nocpulse-identity
chcon -R -t  sshd_key_t /var/lib/nocpulse/.ssh/authorized_keys 
ls -Z /var/lib/nocpulse/.ssh/
-rw-------. nocpulse nocpulse system_u:object_r:sshd_key_t:s0  authorized_keys
-rw-------. nocpulse nocpulse unconfined_u:object_r:sshd_key_t:s0 nocpulse-identity
-rw-r--r--. nocpulse nocpulse unconfined_u:object_r:var_lib_t:s0 nocpulse-identity.pub

Now I can start rhnmd without error
Comment 7 Steven Ellis 2011-02-15 01:09:33 UTC 
This appears to have resolved issues with rhnmd as my Satellite sever is now able to run valid monitoring checks against my RHEL6 host.
Comment 9 Jan Pazdziora (Red Hat) 2013-01-04 13:43:02 UTC 
With latest rhnmd-5.3.10-2.el6sat.noarch and rhnmd-5.3.10-2.el5sat.noarch from RHN Tools, the issue is not present as we've rebased to latest code.
Comment 11 Jan Pazdziora (Red Hat) 2013-01-04 13:45:30 UTC 
Hmm, dupe of bug 852386 would be the best course of action since there rhnmd-5.3.10-2 was used to verify things are sane.

*** This bug has been marked as a duplicate of bug 852386 ***