| Summary: | SELinux denials encountered during bind/unbind | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | John Sefler <jsefler> |
| Component: | subscription-manager | Assignee: | William Poteat <wpoteat> |
| Status: | CLOSED WORKSFORME | QA Contact: | Entitlement Bugs <entitlement-bugs> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 5.8 | CC: | bkearney |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-01-03 21:20:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 715031 | ||
Have not been able to reproduce on other installs. Rebuilding the offending vm to snapshot2 now and will retest. I should also have reported: rpm -V selinux-policy dbus dbus-python The offending install of "Red Hat Enterprise Linux Server release 5.8 Beta (Tikanga)" has been rebuilt with RHEL-5.8-Server-Snapshot-2.0 and the latest subscription-manager/python-rhsm packages have been installed... [root@jsefler-onprem-5server ~]# rpm -q subscription-manager subscription-manager-0.98.10-1.git.0.5d83904.el5 [root@jsefler-onprem-5server ~]# rpm -q python-rhsm python-rhsm-0.98.9-1.git.0.81c61d5.el5 [root@jsefler-onprem-5server ~]# rpm -V selinux-policy dbus dbus-python [root@jsefler-onprem-5server ~]# [root@jsefler-onprem-5server ~]# subscription-manager register --username testuser1 --password password --org admin The system has been registered with id: aff4def4-1a4a-4c15-98e5-337173fc652b [root@jsefler-onprem-5server ~]# subscription-manager list --avail | grep -A1 management-100 ProductId: management-100 PoolId: 8a90f85734a546830134a5475a6601ac -- ProductId: management-100 PoolId: 8a90f85734a546830134a5475a9f01b4 [root@jsefler-onprem-5server ~]# echo "" > /var/log/audit/audit.log [root@jsefler-onprem-5server ~]# subscription-manager subscribe --pool 8a90f85734a546830134a5475a6601ac Successfully consumed a subscription from the pool with id 8a90f85734a546830134a5475a6601ac [root@jsefler-onprem-5server ~]# grep denied /var/log/audit/audit.log [root@jsefler-onprem-5server ~]# subscription-manager unsubscribe --all [root@jsefler-onprem-5server ~]# grep denied /var/log/audit/audit.log [root@jsefler-onprem-5server ~]# As demonstrated above, I am no longer getting the SELinux denials... I do not know what caused the original denials and because the offending machine has been rebuilt, we cannot investigate any further. If our automated runs catch this error again, then we'll re-open the bug. Moving to CLOSED WORKSFORME |
Description of problem: This was newly caught by automated tests and must have been introduced by a commit between: Tues Dec 20 8:00pm - Wed Dec 21 8:00pm Version-Release number of selected component (if applicable): [root@jsefler-onprem-5server ~]# rpm -q subscription-manager subscription-manager-0.98.9-1.git.5.4b51014.el5 [root@jsefler-onprem-5server ~]# rpm -q python-rhsm python-rhsm-0.98.8-1.git.1.d1e5cd9.el5 How reproducible: Steps to Reproduce: [root@jsefler-onprem-5server ~]# subscription-manager register --username testuser1 --password password --org admin The system has been registered with id: 98d30add-53a4-4b5b-a4c6-293873f070ae [root@jsefler-onprem-5server ~]# subscription-manager list --avail | grep -A1 management-100 ProductId: management-100 PoolId: 8a90f85734634d770134634eb02a01ac -- ProductId: management-100 PoolId: 8a90f85734634d770134634eb0ee01b4 [root@jsefler-onprem-5server ~]# echo "" > /var/log/audit/audit.log [root@jsefler-onprem-5server ~]# subscription-manager subscribe --pool 8a90f85734634d770134634eb02a01ac Successfully consumed a subscription from the pool with id 8a90f85734634d770134634eb02a01ac [root@jsefler-onprem-5server ~]# grep denied /var/log/audit/audit.log type=USER_AVC msg=audit(1324574836.481:211429): user pid=2171 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Introspectable member=Introspect dest=com.redhat.SubscriptionManager spid=14465 tpid=18560 scontext=root:system_r:firstboot_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1324574836.809:211430): user pid=2171 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=method_call interface=com.redhat.SubscriptionManager.EntitlementStatus member=check_status dest=com.redhat.SubscriptionManager spid=14465 tpid=18562 scontext=root:system_r:firstboot_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' BANG! ^^^ THOSE DENIALS ARE NEW NOW LET's TRY UNSUBSCRIBE... [root@jsefler-onprem-5server ~]# echo "" > /var/log/audit/audit.log [root@jsefler-onprem-5server ~]# subscription-manager unsubscribe --all [root@jsefler-onprem-5server ~]# grep denied /var/log/audit/audit.log type=USER_AVC msg=audit(1324575063.752:211443): user pid=2171 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Introspectable member=Introspect dest=com.redhat.SubscriptionManager spid=14465 tpid=18635 scontext=root:system_r:firstboot_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' type=USER_AVC msg=audit(1324575064.033:211444): user pid=2171 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for msgtype=method_call interface=com.redhat.SubscriptionManager.EntitlementStatus member=check_status dest=com.redhat.SubscriptionManager spid=14465 tpid=18637 scontext=root:system_r:firstboot_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)' BANG! ^^^ looks like the same denials during unbind