Bug 735014

Summary: tog-pegasus is not stopped successfully, port 5989: Address already in use
Product: Red Hat Enterprise Linux 6 Reporter: Petr Sklenar <psklenar>
Component: tog-pegasusAssignee: Vitezslav Crhonek <vcrhonek>
Status: CLOSED DUPLICATE QA Contact: qe-baseos-daemons
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.2CC: azelinka, jscotka, mgrepl, ovasik
Target Milestone: rcKeywords: Regression, SELinux
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-21 12:38:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Sklenar 2011-09-01 07:42:00 UTC 
Description of problem:
tog-pegasus is not stopped successfully, port 5989 is occupied by cimserver

Version-Release number of selected component (if applicable):
tog-pegasus-2.11.0-2.el6.i686 from rhel62 errata

How reproducible:
deterministic

Steps to Reproduce:
# /etc/init.d/tog-pegasus stop
[  OK  ] down CIM server: [FAILED]
# /etc/init.d/tog-pegasus start
Starting up CIM server: [  OK  ]
# /etc/init.d/tog-pegasus stop
[  OK  ] down CIM server: [  OK  ]
# /etc/init.d/tog-pegasus start
Starting up CIM server: cimserver not started: Bind failed: Failed to bind socket on port 5989: Address already in use (error code 98).
[FAILED]
# /etc/init.d/tog-pegasus stop
[  OK  ] down CIM server: [FAILED]
# /etc/init.d/tog-pegasus start
Starting up CIM server: cimserver not started: Bind failed: Failed to bind socket on port 5989: Address already in use (error code 98).
[FAILED]
# /etc/init.d/tog-pegasus stop
[  OK  ] down CIM server: [FAILED]
# netstat -putna | grep 5989
tcp        0      0 :::5989                     :::*                        LISTEN      12304/cimservermain 


  
Actual results:
socket on port 5989: Address already in use (error code 98).

Expected results:
port is release

Additional info:
old behavior:
[root@tyan-gt24-09 bz426578-CVE2008-0003-pam-overflow]# /etc/init.d/tog-pegasus start
tog-pegasus start: /usr/sbin/cimserver is already running
[root@tyan-gt24-09 bz426578-CVE2008-0003-pam-overflow]# /etc/init.d/tog-pegasus stop
[  OK  ] down CIM server: [  OK  ]
[root@tyan-gt24-09 bz426578-CVE2008-0003-pam-overflow]# /etc/init.d/tog-pegasus start
Starting up CIM server: [  OK  ]
[root@tyan-gt24-09 bz426578-CVE2008-0003-pam-overflow]# /etc/init.d/tog-pegasus stop
[  OK  ] down CIM server: [  OK  ]
[root@tyan-gt24-09 bz426578-CVE2008-0003-pam-overflow]# rpm -q tog-pegasus
tog-pegasus-2.9.1-5.el6.i686
Comment 6 Vitezslav Crhonek 2011-09-05 11:01:29 UTC 
[root@kvm-guest-06 ~]# service tog-pegasus start
Starting up CIM server: cimserver not started: Bind failed: Failed to bind socket on port 5989: Address already in use (error code 98).
[FAILED]
[root@kvm-guest-06 ~]# netstat -putna | grep 5989
tcp        0      0 :::5989                     :::*                        LISTEN      2566/cimservermain  
[root@kvm-guest-06 ~]# ps aux | grep cimservermain
cimsrvr   2566  0.0  0.8 391848  8732 ?        Sl   06:27   0:00 cimservermain --executor-socket 3
root      2694  0.0  0.0 103228   852 pts/0    S+   06:34   0:00 grep cimservermain
[root@kvm-guest-06 ~]# kill 2566
[root@kvm-guest-06 ~]# service tog-pegasus start
Starting up CIM server: [  OK  ]

It's because of Privilege Separation feature. There are now two tog-pegasus processes - cimserver (killed in init script) and cimservermain, which should be killed by cimserver, but it's not, SELinux prevents it:

type=AVC msg=audit(1315218438.116:78130): avc:  denied  { kill } for  pid=2565 comm="cimserver" capability=5  scontext=unconfined_u:system_r:pegasus_t:s0 tcontext=unconfined_u:system_r:pegasus_t:s0 tclass=capability
type=SYSCALL msg=audit(1315218438.116:78130): arch=c000003e syscall=62 success=no exit=-1 a0=a06 a1=f a2=7fff9b15915f a3=0 items=0 ppid=1 pid=2565 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cimserver" exe="/usr/sbin/cimserver" subj=unconfined_u:system_r:pegasus_t:s0 key=(null)

The issue is also described in [1]. We have Privilege Separation enabled for the first time in RHEL.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=472609
Comment 8 Miroslav Grepl 2011-09-21 10:31:30 UTC 
If the part of this issue was SELinux then it was fixed in the latest policy

# sesearch -A -s pegasus_t -t pegasus_t -c capability -p kill
Found 1 semantic av rules:
   allow pegasus_t pegasus_t : capability { chown dac_override kill setgid setuid net_bind_service ipc_lock sys_nice audit_write } ;
Comment 9 Petr Sklenar 2011-09-21 12:37:00 UTC 
tog-pegasus-2.11.0-2.el6.x86_64

OLD, selinux policy 
[root@sun-v40z-01 ~]# /etc/init.d/tog-pegasus stop
Shutting down CIM server: type=AVC msg=audit(1316608183.191:112611): avc:  denied  { kill } for  pid=6346 comm="cimserver" capability=5  scontext=unconfined_u:system_r:pegasus_t:s0 tcontext=unconfined_u:system_r:pegasus_t:s0 tclass=capability
[  OK  ]
[root@sun-v40z-01 ~]# /etc/init.d/tog-pegasus start
Starting up CIM server: cimserver not started: Bind failed: Failed to bind socket on port 5989: Address already in use (error code 98).
type=AVC msg=audit(1316608186.806:112612): avc:  denied  { kill } for  pid=6520 comm="cimserver" capability=5  scontext=unconfined_u:system_r:pegasus_t:s0 tcontext=unconfined_u:system_r:pegasus_t:s0 tclass=capability
[FAILED]

NEW, selinux-policy-3.7.19-112.el6.noarch:
[root@sun-v40z-01 ~]# /etc/init.d/tog-pegasus stop
[  OK  ] down CIM server: [FAILED]
[root@sun-v40z-01 ~]# /etc/init.d/tog-pegasus start
Starting up CIM server: [  OK  ]
[root@sun-v40z-01 ~]# /etc/init.d/tog-pegasus restart
[  OK  ] down CIM server: [  OK  ]
Starting up CIM server: [  OK  ]
[root@sun-v40z-01 ~]# /etc/init.d/tog-pegasus stop
[  OK  ] down CIM server: [  OK  ]
[root@sun-v40z-01 ~]# netstat -putna | grep 5989
[root@sun-v40z-01 ~]#
Comment 10 Petr Sklenar 2011-09-21 12:38:46 UTC 

*** This bug has been marked as a duplicate of bug 723977 ***