1026435 – rhsmcertd-worker @rhsmcertd-worker:90 - [Errno 13] Permission denied

Bug 1026435 - rhsmcertd-worker @rhsmcertd-worker:90 - [Errno 13] Permission denied

Summary: rhsmcertd-worker @rhsmcertd-worker:90 - [Errno 13] Permission denied

Keywords:
Status:	CLOSED DUPLICATE of bug 822402
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	subscription-manager
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	candlepin-bugs
QA Contact:	John Sefler
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	rhsm-rhel70
TreeView+	depends on / blocked

Reported:	2013-11-04 16:06 UTC by John Sefler
Modified:	2014-07-22 14:06 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-11-05 20:44:29 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	822402	1	None	None	None	2021-01-20 06:05:38 UTC

Internal Links: 822402

Description John Sefler 2013-11-04 16:06:42 UTC

Description of problem:
When a consumer has been deleted at the server, the next run of the rhsmcertd should create a backup of the consumer cert in directory /etc/pki/consumer.old but this appears to be blocked by [Errno 13] Permission denied on rhel7.



Version-Release number of selected component (if applicable):
[root@jsefler-7 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 0.8.31-1
subscription-manager: 1.10.5-1.git.14.2e4687f.el7
python-rhsm: 1.10.5-1.git.2.16e72c2.el7
[root@jsefler-7 ~]# rpm -qa | grep selinux
libselinux-python-2.1.13-21.el7.x86_64
libselinux-utils-2.1.13-21.el7.x86_64
libselinux-2.1.13-21.el7.x86_64
selinux-policy-3.12.1-95.el7.noarch
selinux-policy-targeted-3.12.1-95.el7.noarch


How reproducible:


Steps to Reproduce:
[root@jsefler-7 ~]# subscription-manager register --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin
Username: testuser1
Password: 
Organization: admin
The system has been registered with ID: d615d82b-fed4-4764-8369-64c6a7bee2cd 

[root@jsefler-7 ~]# curl --stderr /dev/null -k -u testuser1:password --request DELETE https://jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin/consumers/d615d82b-fed4-4764-8369-64c6a7bee2cd

[root@jsefler-7 ~]# subscription-manager identity
Unit d615d82b-fed4-4764-8369-64c6a7bee2cd has been deleted


NOW restart rhsmcertd and tail /var/log/rhsm/rhsmcertd.log /var/log/audit/audit.log /var/log/rhsm/rhsm.log as shown below in Additional info.

[root@jsefler-7 ~]# systemctl restart rhsmcertd.service
[root@jsefler-7 ~]# 


[root@jsefler-7 ~]# ls -l /etc/pki/consumer/
total 8
-rw-r-----. 1 root root 1306 Nov  4 10:51 cert.pem
-rw-r-----. 1 root root 1679 Nov  4 10:51 key.pem
[root@jsefler-7 ~]# ls -l /etc/pki/consumer.old
ls: cannot access /etc/pki/consumer.old: No such file or directory
[root@jsefler-7 ~]# 


Actual results:
above

Expected results:
The /etc/pki/consumer directory should have been backed up to /etc/pki/consumer.old



Additional info:

[root@jsefler-7 ~]# tail -f /var/log/rhsm/rhsmcertd.log
Mon Nov  4 10:57:26 2013 [INFO] rhsmcertd is shutting down...
Mon Nov  4 10:57:26 2013 [INFO] Starting rhsmcertd...
Mon Nov  4 10:57:26 2013 [INFO] Auto-attach interval: 1440.0 minute(s) [86400 second(s)]
Mon Nov  4 10:57:26 2013 [INFO] Cert check interval: 240.0 minute(s) [14400 second(s)]
Mon Nov  4 10:57:26 2013 [INFO] Waiting 120 second(s) [2.0 minute(s)] before running updates.
Mon Nov  4 10:59:27 2013 [WARN] (Auto-attach) Update failed (255), retry will occur on next run.
Mon Nov  4 10:59:28 2013 [WARN] (Cert Check) Update failed (255), retry will occur on next run.



[root@jsefler-7 ~]# tail -f /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1383580767.463:37844): avc:  denied  { write } for  pid=14738 comm="rhsmcertd-worke" name="pki" dev="dm-1" ino=16818316 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
type=AVC msg=audit(1383580768.184:37845): avc:  denied  { write } for  pid=14741 comm="rhsmcertd-worke" name="pki" dev="dm-1" ino=16818316 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir



[root@jsefler-7 ~]# tail -f /var/log/rhsm/rhsm.log
2013-11-04 10:59:28,183 [CRITICAL] rhsmcertd-worker @rhsmcertd-worker:61 - This consumer's profile has been deleted from the server. Its local certificates will now be archived
2013-11-04 10:59:28,187 [ERROR] rhsmcertd-worker @rhsmcertd-worker:88 - Error while updating certificates using daemon
2013-11-04 10:59:28,188 [ERROR] rhsmcertd-worker @rhsmcertd-worker:90 - [Errno 13] Permission denied
Traceback (most recent call last):
  File "/usr/libexec/rhsmcertd-worker", line 79, in <module>
    main(options, log)
  File "/usr/libexec/rhsmcertd-worker", line 62, in main
    managerlib.clean_all_data()
  File "/usr/share/rhsm/subscription_manager/managerlib.py", line 862, in clean_all_data
    os.rename(consumer_dir, consumer_dir_backup)
OSError: [Errno 13] Permission denied

Comment 1 John Sefler 2013-11-04 16:12:29 UTC

[root@jsefler-7 ~]# ausearch -m avc -c rhsmcertd-worke


time->Mon Nov  4 10:59:27 2013
type=SYSCALL msg=audit(1383580767.463:37844): arch=c000003e syscall=82 success=no exit=-13 a0=1b4e830 a1=1b4f2b0 a2=32a31bbf88 a3=0 items=0 ppid=14711 pid=14738 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/bin/python2.7" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(1383580767.463:37844): avc:  denied  { write } for  pid=14738 comm="rhsmcertd-worke" name="pki" dev="dm-1" ino=16818316 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir
----
time->Mon Nov  4 10:59:28 2013
type=SYSCALL msg=audit(1383580768.184:37845): arch=c000003e syscall=82 success=no exit=-13 a0=27588b0 a1=2759330 a2=32a31bbf88 a3=0 items=0 ppid=14711 pid=14741 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/bin/python2.7" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(1383580768.184:37845): avc:  denied  { write } for  pid=14741 comm="rhsmcertd-worke" name="pki" dev="dm-1" ino=16818316 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:cert_t:s0 tclass=dir

Comment 4 Miroslav Grepl 2013-11-05 20:44:29 UTC


*** This bug has been marked as a duplicate of bug 822402 ***

Note You need to log in before you can comment on or make changes to this bug.