Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1026435

Summary: rhsmcertd-worker @rhsmcertd-worker:90 - [Errno 13] Permission denied
Product: Red Hat Enterprise Linux 7 Reporter: John Sefler <jsefler>
Component: subscription-managerAssignee: candlepin-bugs
Status: CLOSED DUPLICATE QA Contact: John Sefler <jsefler>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: bkearney, mgrepl, mmalik
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-05 20:44:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 863175    

Description John Sefler 2013-11-04 16:06:42 UTC 
Description of problem:
When a consumer has been deleted at the server, the next run of the rhsmcertd should create a backup of the consumer cert in directory /etc/pki/consumer.old but this appears to be blocked by [Errno 13] Permission denied on rhel7.



Version-Release number of selected component (if applicable):
[root@jsefler-7 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 0.8.31-1
subscription-manager: 1.10.5-1.git.14.2e4687f.el7
python-rhsm: 1.10.5-1.git.2.16e72c2.el7
[root@jsefler-7 ~]# rpm -qa | grep selinux
libselinux-python-2.1.13-21.el7.x86_64
libselinux-utils-2.1.13-21.el7.x86_64
libselinux-2.1.13-21.el7.x86_64
selinux-policy-3.12.1-95.el7.noarch
selinux-policy-targeted-3.12.1-95.el7.noarch


How reproducible:


Steps to Reproduce:
[root@jsefler-7 ~]# subscription-manager register --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin
Username: testuser1
Password: 
Organization: admin
The system has been registered with ID: d615d82b-fed4-4764-8369-64c6a7bee2cd 

[root@jsefler-7 ~]# curl --stderr /dev/null -k -u testuser1:password --request DELETE https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/consumers/d615d82b-fed4-4764-8369-64c6a7bee2cd

[root@jsefler-7 ~]# subscription-manager identity
Unit d615d82b-fed4-4764-8369-64c6a7bee2cd has been deleted


NOW restart rhsmcertd and tail /var/log/rhsm/rhsmcertd.log /var/log/audit/audit.log /var/log/rhsm/rhsm.log as shown below in Additional info.

[root@jsefler-7 ~]# systemctl restart rhsmcertd.service
[root@jsefler-7 ~]# 


[root@jsefler-7 ~]# ls -l /etc/pki/consumer/
total 8
-rw-r-----. 1 root root 1306 Nov  4 10:51 cert.pem
-rw-r-----. 1 root root 1679 Nov  4 10:51 key.pem
[root@jsefler-7 ~]# ls -l /etc/pki/consumer.old
ls: cannot access /etc/pki/consumer.old: No such file or directory
[root@jsefler-7 ~]# 


Actual results:
above

Expected results:
The /etc/pki/consumer directory should have been backed up to /etc/pki/consumer.old



Additional info:

[root@jsefler-7 ~]# tail -f /var/log/rhsm/rhsmcertd.log
Mon Nov  4 10:57:26 2013 [INFO] rhsmcertd is shutting down...
Mon Nov  4 10:57:26 2013 [INFO] Starting rhsmcertd...
Mon Nov  4 10:57:26 2013 [INFO] Auto-attach interval: 1440.0 minute(s) [86400 second(s)]
Mon Nov  4 10:57:26 2013 [INFO] Cert check interval: 240.0 minute(s) [14400 second(s)]
Mon Nov  4 10:57:26 2013 [INFO] Waiting 120 second(s) [2.0 minute(s)] before running updates.
Mon Nov  4 10:59:27 2013 [WARN] (Auto-attach) Update failed (255), retry will occur on next run.
Mon Nov  4 10:59:28 2013 [WARN] (Cert Check) Update failed (255), retry will occur on next run.



[root@jsefler-7 ~]# tail -f /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1383580767.463:37844): avc:  denied  { write } for  pid=14738 comm="rhsmcertd-worke" name="pki" dev="dm-1" ino=16818316 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=AVC msg=audit(1383580768.184:37845): avc:  denied  { write } for  pid=14741 comm="rhsmcertd-worke" name="pki" dev="dm-1" ino=16818316 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir



[root@jsefler-7 ~]# tail -f /var/log/rhsm/rhsm.log
2013-11-04 10:59:28,183 [CRITICAL] rhsmcertd-worker @rhsmcertd-worker:61 - This consumer's profile has been deleted from the server. Its local certificates will now be archived
2013-11-04 10:59:28,187 [ERROR] rhsmcertd-worker @rhsmcertd-worker:88 - Error while updating certificates using daemon
2013-11-04 10:59:28,188 [ERROR] rhsmcertd-worker @rhsmcertd-worker:90 - [Errno 13] Permission denied
Traceback (most recent call last):
  File "/usr/libexec/rhsmcertd-worker", line 79, in <module>
    main(options, log)
  File "/usr/libexec/rhsmcertd-worker", line 62, in main
    managerlib.clean_all_data()
  File "/usr/share/rhsm/subscription_manager/managerlib.py", line 862, in clean_all_data
    os.rename(consumer_dir, consumer_dir_backup)
OSError: [Errno 13] Permission denied
Comment 1 John Sefler 2013-11-04 16:12:29 UTC 
[root@jsefler-7 ~]# ausearch -m avc -c rhsmcertd-worke


time->Mon Nov  4 10:59:27 2013
type=SYSCALL msg=audit(1383580767.463:37844): arch=c000003e syscall=82 success=no exit=-13 a0=1b4e830 a1=1b4f2b0 a2=32a31bbf88 a3=0 items=0 ppid=14711 pid=14738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/bin/python2.7" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(1383580767.463:37844): avc:  denied  { write } for  pid=14738 comm="rhsmcertd-worke" name="pki" dev="dm-1" ino=16818316 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
----
time->Mon Nov  4 10:59:28 2013
type=SYSCALL msg=audit(1383580768.184:37845): arch=c000003e syscall=82 success=no exit=-13 a0=27588b0 a1=2759330 a2=32a31bbf88 a3=0 items=0 ppid=14711 pid=14741 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/bin/python2.7" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(1383580768.184:37845): avc:  denied  { write } for  pid=14741 comm="rhsmcertd-worke" name="pki" dev="dm-1" ino=16818316 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
Comment 4 Miroslav Grepl 2013-11-05 20:44:29 UTC 

*** This bug has been marked as a duplicate of bug 822402 ***