Bug 567880
| Summary: | rhnmd on client do not start because SELinux AVC denial | ||
|---|---|---|---|
| Product: | [Community] Spacewalk | Reporter: | Jan Hutař <jhutar> |
| Component: | Clients | Assignee: | Milan Zázrivec <mzazrivec> |
| Status: | CLOSED DUPLICATE | QA Contact: | Red Hat Satellite QA List <satqe-list> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 0.8 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-02-24 08:14:24 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 582354 | ||
*** This bug has been marked as a duplicate of bug 567879 *** |
Description of problem: When I try to start rhnmd on updated F12 with SELinux in enforcing mode, it fails because some AVCs. Version-Release number of selected component (if applicable): rhnmd-5.3.5-1.fc12.noarch selinux-policy-3.6.32-89.fc12.noarch selinux-policy-targeted-3.6.32-89.fc12.noarch How reproducible: always Steps to Reproduce: 1. ensure you are in enforcing with `getenforce` 2. ensure /var/lib/nocpulse/.ssh/* have right context with `restorecon -vR /var/lib/nocpulse/.ssh/` 3. # service rhnmd start Actual results: # service rhnmd start Starting rhnmd:Could not load host key: /var/lib/nocpulse/.ssh/nocpulse-identity Disabling protocol version 2. Could not load host key sshd: no hostkeys available -- exiting. [FAILED] Expected results: # service rhnmd start Starting rhnmd: [ OK ] Additional info: type=USER_START msg=audit(1266998428.734:345): user pid=6495 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="nocpulse" exe="/sbin/runuser" hostname=? addr=? terminal=pts/4 res=success' type=CRED_ACQ msg=audit(1266998428.734:346): user pid=6495 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="nocpulse" exe="/sbin/runuser" hostname=? addr=? terminal=pts/4 res=success' type=AVC msg=audit(1266998428.780:347): avc: denied { read } for pid=6520 comm="rhnmd" name="nocpulse-identity" dev=dm-2 ino=548105 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1266998428.780:347): avc: denied { open } for pid=6520 comm="rhnmd" name="nocpulse-identity" dev=dm-2 ino=548105 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1266998428.780:347): arch=c000003e syscall=2 success=yes exit=128 a0=7fe8adb86cb0 a1=0 a2=0 a3=8 items=0 ppid=6496 pid=6520 auid=500 uid=488 gid=472 euid=488 suid=488 fsuid=488 egid=472 sgid=472 fsgid=472 tty=(none) ses=1 comm="rhnmd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1266998428.780:348): avc: denied { getattr } for pid=6520 comm="rhnmd" path="/var/lib/nocpulse/.ssh/nocpulse-identity" dev=dm-2 ino=548105 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1266998428.780:348): arch=c000003e syscall=5 success=yes exit=128 a0=3 a1=7fffe237a410 a2=7fffe237a410 a3=7fffe237a1a0 items=0 ppid=6496 pid=6520 auid=500 uid=488 gid=472 euid=488 suid=488 fsuid=488 egid=472 sgid=472 fsgid=472 tty=(none) ses=1 comm="rhnmd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=CRED_DISP msg=audit(1266998428.782:349): user pid=6495 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="nocpulse" exe="/sbin/runuser" hostname=? addr=? terminal=pts/4 res=success' type=USER_END msg=audit(1266998428.782:350): user pid=6495 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="nocpulse" exe="/sbin/runuser" hostname=? addr=? terminal=pts/4 res=success' type=USER_ACCT msg=audit(1266998461.331:351): user pid=6558 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_ACQ msg=audit(1266998461.338:352): user pid=6558 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=LOGIN msg=audit(1266998461.338:353): login pid=6558 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=37 type=USER_START msg=audit(1266998461.351:354): user pid=6558 uid=0 auid=0 ses=37 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_DISP msg=audit(1266998461.490:355): user pid=6558 uid=0 auid=0 ses=37 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1266998461.491:356): user pid=6558 uid=0 auid=0 ses=37 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'