Bug 677680

Summary:

SELinux denies rhnmd to bind to port 4545

Product:

[Community] Spacewalk

Reporter:

Sandro Mathys <sandro>

Component:

Clients

Assignee:

Jan Pazdziora (Red Hat) <jpazdziora>

Status:

CLOSED DUPLICATE

QA Contact:

Red Hat Satellite QA List <satqe-list>

Severity:

medium

Docs Contact:

Priority:

medium

Version:

1.4

CC:

jpazdziora, mmello

Target Milestone:

---

Target Release:

---

Hardware:

All

OS:

All

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2011-08-19 10:20:00 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

588923, 723481

Attachments:

Description	Flags
0001-rhbz-677680-fix-SELinux-denies-RHNMD-binds-port-4545.patch	none

Description Sandro Mathys 2011-02-15 15:07:39 UTC

Description of problem:
type=AVC msg=audit(1297781940.124:73164): avc:  denied  { name_bind } for  pid=24556 comm="rhnmd" src=4545 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket



Version-Release number of selected component (if applicable):
rhnmd-5.3.7-1.fc13.noarch (from F14 client repo)



Actual results:
$(service rhnmd start) reports OK but rhnmd is not actually running. $(service rhnmd stop) will report FAILED.



Expected results:
rhnmd up and running

Comment 1 Sandro Mathys 2011-02-15 15:27:10 UTC

My fault, I mixed up versions - this was never tested in post-1.3 :)

Comment 2 Marcelo Moreira de Mello 2011-03-23 07:09:38 UTC

Hello, 

Working on this.. 

Kind Regards, 
Marcelo Moreira de Mello

Comment 3 Marcelo Moreira de Mello 2011-04-10 04:34:34 UTC

Hello, 

Issue reproduced in Spacewalk 1.4 nightly build. 

type=AVC msg=audit(1302409997.445:52858): avc:  denied  { name_bind } for  pid=14302 comm="rhnmd" src=4545 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1302409997.445:52858): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7f8735e36760 a2=10 a3=7fff4d9bc8f8 items=0 ppid=1 pid=14302 auid=0 uid=492 gid=488 euid=492 suid=492 fsuid=492 egid=488 sgid=488 fsgid=488 tty=(none) ses=4 comm="rhnmd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)


Working on this. 

Cheers, 
Marcelo Moreira de Mello

Comment 4 Marcelo Moreira de Mello 2011-04-10 05:10:48 UTC

When starting the monitoring scout service, gogo.pl script also are blocked by SELinux. 

type=AVC msg=audit(1302412097.191:55060): avc:  denied  { getattr } for  pid=9321 comm="gogo.pl" path="/usr/sbin/sendmail.sendmail" dev=dm-0 ino=36670 scontext=unconfined_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1302412097.191:55060): arch=c000003e syscall=4 success=no exit=-13 a0=1932020 a1=16cf138 a2=16cf138 a3=0 items=0 ppid=9320 pid=9321 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="gogo.pl" exe="/usr/bin/perl" subj=unconfined_u:system_r:spacewalk_monitoring_t:s0 key=(null)
type=AVC msg=audit(1302412097.228:55061): avc:  denied  { getattr } for  pid=9319 comm="dequeue" path="/usr/sbin/sendmail.sendmail" dev=dm-0 ino=36670 scontext=unconfined_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1302412097.228:55061): arch=c000003e syscall=4 success=no exit=-13 a0=1782ae0 a1=15c1138 a2=15c1138 a3=0 items=0 ppid=9318 pid=9319 auid=0 uid=492 gid=488 euid=492 suid=492 fsuid=492 egid=488 sgid=488 fsgid=488 tty=pts1 ses=3 comm="dequeue" exe="/usr/bin/perl" subj=unconfined_u:system_r:spacewalk_monitoring_t:s0 key=(null)

Comment 5 Marcelo Moreira de Mello 2011-04-10 05:12:35 UTC

 kernel.pl is also denied by SELinux

type=AVC msg=audit(1302412321.541:55277): avc:  denied  { getattr } for  pid=10593 comm="kernel.pl" path="/usr/sbin/sendmail.sendmail" dev=dm-0 ino=36670 scontext=unconfined_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1302412321.541:55277): arch=c000003e syscall=4 success=no exit=-13 a0=10ed620 a1=f6f138 a2=f6f138 a3=0 items=0 ppid=10591 pid=10593 auid=0 uid=492 gid=488 euid=492 suid=492 fsuid=492 egid=488 sgid=488 fsgid=488 tty=pts1 ses=3 comm="kernel.pl" exe="/usr/bin/perl" subj=unconfined_u:system_r:spacewalk_monitoring_t:s0 key=(null)

Comment 6 Marcelo Moreira de Mello 2011-04-10 05:34:57 UTC

Created attachment 491033 [details]
0001-rhbz-677680-fix-SELinux-denies-RHNMD-binds-port-4545.patch

Hello, 

This patch fix the SELinux denies for RHNMD daemon when binding 4545 tcp port. 

Patch already sent to spacewalk-devel mailing list for approval. 

Cheers, 
Marcelo Moreira de Mello

Comment 7 Jan Pazdziora (Red Hat) 2011-07-21 14:50:40 UTC

Moving to space16.

Comment 9 Jan Pazdziora (Red Hat) 2011-08-19 10:20:00 UTC

There are more problems to rhnmd with SELinux, we consolidate them in bug 594647.

The monitoring sendmail_exec_t (server-side) issue was addressed in bug 588923.

*** This bug has been marked as a duplicate of bug 594647 ***