Bug 588923
Summary: | SELinux is preventing execute_command (spacewalk_monitoring_t) "getattr" to /usr/sbin/sendmail.sendmail (sendmail_exec_t) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Community] Spacewalk | Reporter: | Sandro Mathys <sandro> | ||||||||
Component: | Server | Assignee: | Jan Pazdziora <jpazdziora> | ||||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Red Hat Satellite QA List <satqe-list> | ||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | low | ||||||||||
Version: | 1.4 | CC: | fybanez, jpazdziora, mmello, msuchy, mzazrivec | ||||||||
Target Milestone: | --- | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | spacewalk-monitoring-selinux-1.6.2-1 | Doc Type: | Bug Fix | ||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2011-12-22 16:48:34 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | 677680 | ||||||||||
Bug Blocks: | 631875, 723481 | ||||||||||
Attachments: |
|
Description
Sandro Mathys
2010-05-04 20:11:03 UTC
Reassigning to our selinux guru. I'd need to know what exactly you / the Spacewalk server has been doing when you got this AVC denial. Please, always use the general bugzilla template, ideally with steps to reproduce. We need to investigate why the monitoring system thought that it would be good idea to run /usr/sbin/sendmail.sendmail in the first place, and for that we need the full reports. I didn't add more because that's all I had investigated so far - basically I missed to mention that we have lots of those messages and not only one single occurence. Here comes the template. Description of problem: Having a closer look upon it now I see that this seems to occur every 5 minutes. Since that Spacewalk only has 4 systems subscribed to and only one is being monitored I can see that the only probe that is configured has an interval of 5 minutes. So I guess that with every check it wants to send a mail. For the past days rhnmd has not been running (because of another selinux problem which I'm going to report) on the target system and I thought that might be the reason. But I started rhnmd again in the meantime and there's still selinux reports. Version-Release number of selected component (if applicable): spacewalk-monitoring-1.0.1-1.el5 spacewalk-monitoring-selinux-1.0.1-1.el5 How reproducible: Unknown, only have one spacewalk instance at hand but it still occurs there. Steps to Reproduce: 1. create a monitoring probe 2. push scout config Actual results: - SELinux is preventing execute_command (spacewalk_monitoring_t) "getattr" to /usr/sbin/sendmail.sendmail (sendmail_exec_t). - probe works, system is healthy Expected results: - no SELinux denial - probe works Additional info: I really don't know why monitoring is trying to send an email at all or where to. There's at least no notification methods defined (and therefore none specified in the monitoring probe). (In reply to comment #3) > Steps to Reproduce: > 1. create a monitoring probe What probe is that, exactly? Created attachment 411546 [details]
Screenshot of monitoring probe
See the new attachement above for the probe with all the details. As you can see I changed the interval to 1 minute but the denial still only occurs every 5 minutes. Also, since I started rhnmd on the client/target system a bit over one hour ago there's lots of additional SELinux messages. I'll attach messages and audit.log next so you can be sure I don't miss to mention anything of importance. Created attachment 411549 [details]
Spacewalk syslog
Created attachment 411550 [details]
Spacewalk audit.log
Oh, I forgot to mention that at May 5 12:2* I did a rhn-satellite restart, that's why there's some JVM messages in there. The restart was necessary as I changed the SSL certificates of httpd and jabberd (after they have been signed). *** Bug 636356 has been marked as a duplicate of this bug. *** Mass-moving to space13. The fix for this already fixed in same patch for https://bugzilla.redhat.com/show_bug.cgi?id=677680 See https://bugzilla.redhat.com/show_bug.cgi?id=677680 Cheers, Marcelo Moreira de Mello Moving to space16. (In reply to comment #12) > The fix for this already fixed in same patch for > https://bugzilla.redhat.com/show_bug.cgi?id=677680 > > > See https://bugzilla.redhat.com/show_bug.cgi?id=677680 > > Cheers, > Marcelo Moreira de Mello Nack that patch. Fixed in Spacewalk master, afd9db44bbae4e9abda70a4ec1fecea7c0dab69b. Tagged as spacewalk-monitoring-selinux-1.6.2-1. Spacewalk 1.6 has been released. |