Bug 594647

Summary: rhnmd with major SELinux problems on Fedora 13
Product: [Community] Spacewalk Reporter: Sandro Mathys <sandro>
Component: ClientsAssignee: Jan Pazdziora (Red Hat) <jpazdziora>
Status: CLOSED CURRENTRELEASE QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: medium Docs Contact:
Priority: low    
Version: 1.1CC: mzazrivec, slukasik
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rhnmd-5.3.10-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-22 16:50:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 723481    

Description Sandro Mathys 2010-05-21 08:58:13 UTC 
Description of problem:
If SELinux is enforced, rhnmd will start but not function. If SELinux is in permissive mode rhnmd works just fine. I'll deliver all extract I find useful below. If you need full log files I can attach them later.

/var/log/audit/audit.log:
type=AVC msg=audit(1274431807.396:22019): avc:  denied  { open } for  pid=2000 comm="rhnmd" name="nocpulse-identity" dev=dm-0 ino=6818370 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1274431807.396:22020): avc:  denied  { getattr } for  pid=2000 comm="rhnmd" path="/var/lib/nocpulse/.ssh/nocpulse-identity" dev=dm-0 ino=6818370 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1274431807.500:22022): avc:  denied  { getattr } for  pid=2000 comm="rhnmd" path="/var/lib/nocpulse/.ssh/authorized_keys" dev=dm-0 ino=6815832 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

/var/log/messages:
May 21 10:54:11 (none) setroubleshoot: SELinux is preventing /usr/sbin/sshd "read" access on /var/lib/nocpulse/.ssh/nocpulse-identity. For complete SELinux messages. run sealert -l d283fe86-2b8a-4a41-a587-1bdc7cde2304
May 21 11:00:19 (none) setroubleshoot: SELinux is preventing /usr/sbin/sshd "read" access on /var/lib/nocpulse/.ssh/authorized_keys. For complete SELinux messages. run sealert -l 267ce29a-1825-46c7-822f-bc210b3ffdfe

Version-Release number of selected component (if applicable):
openssh-server-5.4p1-1.fc13
selinux-policy-3.7.19-15.fc13
rhnmd-5.3.6-1.fc12 (from F12 1.0-client, i.e. not nightly)

How reproducible:
Always

Steps to Reproduce:
1. Install F13 with F12 1.0-client tools
2. Setup rhnmd
3. Start rhnmd
  
Actual results:
rhnmd is started but useless without host keys and authorized_keys

Expected results:
rhnmd is started and accessible by MonitoringScout

Additional info:
sealert -l d283fe86-2b8a-4a41-a587-1bdc7cde2304:
SELinux is preventing /usr/sbin/sshd "read" access on
/var/lib/nocpulse/.ssh/nocpulse-identity.

Source Context                unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                /var/lib/nocpulse/.ssh/nocpulse-identity [ file ]
Source                        rhnmd
Source Path                   /usr/sbin/sshd

---

sealert -l 267ce29a-1825-46c7-822f-bc210b3ffdfe:
SELinux is preventing /usr/sbin/sshd "read" access on
/var/lib/nocpulse/.ssh/authorized_keys.

Source Context                unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:var_lib_t:s0
Target Objects                /var/lib/nocpulse/.ssh/authorized_keys [ file ]
Source                        rhnmd
Source Path                   /usr/sbin/sshd

---

# ls -Z /var/lib/nocpulse/.ssh/
-rw-------. nocpulse nocpulse unconfined_u:object_r:var_lib_t:s0 authorized_keys
-rw-------. nocpulse nocpulse system_u:object_r:var_lib_t:s0   nocpulse-identity
-rw-r--r--. nocpulse nocpulse unconfined_u:object_r:var_lib_t:s0 nocpulse-identity.pub

# restorecon /var/lib/nocpulse/.ssh/*

# ls -Z /var/lib/nocpulse/.ssh/
-rw-------. nocpulse nocpulse unconfined_u:object_r:var_lib_t:s0 authorized_keys
-rw-------. nocpulse nocpulse system_u:object_r:var_lib_t:s0   nocpulse-identity
-rw-r--r--. nocpulse nocpulse unconfined_u:object_r:var_lib_t:s0 nocpulse-identity.pub
Comment 1 Sandro Mathys 2010-11-09 12:26:07 UTC 
Just confirming that I can still reproduce this with F13 and 1.1-client tools
Comment 2 Jan Pazdziora (Red Hat) 2010-11-19 16:05:17 UTC 
Mass-moving to space13.
Comment 3 Miroslav Suchý 2011-04-11 07:33:57 UTC 
We did not have time for this one during Spacewalk 1.4 time frame. Mass moving to Spacewalk 1.5.
Comment 4 Miroslav Suchý 2011-04-11 07:37:22 UTC 
We did not have time for this one during Spacewalk 1.4 time frame. Mass moving to Spacewalk 1.5.
Comment 5 Jan Pazdziora (Red Hat) 2011-07-20 11:52:28 UTC 
Aligning under space16.
Comment 6 Jan Pazdziora (Red Hat) 2011-08-19 10:18:06 UTC 
Bug 677680 also reports that

type=AVC msg=audit(1302409997.445:52858): avc:  denied  { name_bind } for 
pid=14302 comm="rhnmd" src=4545
scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

is observed.
Comment 7 Jan Pazdziora (Red Hat) 2011-08-19 10:20:00 UTC 
*** Bug 677680 has been marked as a duplicate of this bug. ***
Comment 8 Jan Pazdziora (Red Hat) 2011-10-07 14:47:32 UTC 
On Fedora 15, I did see

type=AVC msg=audit(1317995087.159:95): avc:  denied  { read } for  pid=1194 comm="rhnmd" name="nocpulse-identity" dev=dm-1 ino=195 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1317995087.159:95): avc:  denied  { open } for  pid=1194 comm="rhnmd" name="nocpulse-identity" dev=dm-1 ino=195 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1317995087.161:96): avc:  denied  { getattr } for  pid=1194 comm="rhnmd" path="/var/lib/nocpulse/.ssh/nocpulse-identity" dev=dm-1 ino=195 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

upon startup, and then

type=AVC msg=audit(1317998553.493:141): avc:  denied  { read } for  pid=1505 comm="rhnmd" name="authorized_keys" dev=dm-1 ino=183 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1317998553.493:141): avc:  denied  { open } for  pid=1505 comm="rhnmd" name="authorized_keys" dev=dm-1 ino=183 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1317998553.495:142): avc:  denied  { getattr } for  pid=1505 comm="rhnmd" path="/var/lib/nocpulse/.ssh/authorized_keys" dev=dm-1 ino=183 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

when the scout connected.

I did address it on my box with

/usr/sbin/semanage fcontext -a -t sshd_key_t '/var/lib/nocpulse/\.ssh/nocpulse-identity'
/usr/sbin/semanage fcontext -a -t ssh_home_t '/var/lib/nocpulse/\.ssh/authorized_keys'
restorecon -rvv /var/lib/nocpulse

I wonder if this is what we want to do in (say) %post script of the rhnmd package? I did not see the name_bind AVC denial noted in bug 677680.
Comment 9 Jan Pazdziora (Red Hat) 2011-10-07 14:55:34 UTC 
(In reply to comment #8)
> I did address it on my box with
> 
> /usr/sbin/semanage fcontext -a -t sshd_key_t
> '/var/lib/nocpulse/\.ssh/nocpulse-identity'
> /usr/sbin/semanage fcontext -a -t ssh_home_t
> '/var/lib/nocpulse/\.ssh/authorized_keys'
> restorecon -rvv /var/lib/nocpulse

Added to rhnmd.spec in Spacewalk master, fe016b4fb21fbabe80b49a608201f632d7f24515.
Comment 10 Milan Zázrivec 2011-12-22 16:50:07 UTC 
Spacewalk 1.6 has been released.