RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1030560 - rhsmcertd fails to update when rhsm.consumerCertDir configuration is changed
Summary: rhsmcertd fails to update when rhsm.consumerCertDir configuration is changed
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: subscription-manager
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: candlepin-bugs
QA Contact: John Sefler
URL:
Whiteboard:
Depends On:
Blocks: rhsm-rhel70
TreeView+ depends on / blocked
 
Reported: 2013-11-14 17:03 UTC by John Sefler
Modified: 2014-01-31 11:22 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-01-31 11:22:31 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description John Sefler 2013-11-14 17:03:57 UTC 
Description of problem:
rhsmcertd fails to update on its scheduled rhsmcertd.certCheckInterval when rhsm.consumerCertDir configuration is changed.  I suspected an selinux policy is blocking this, but I do not see any denials in /var/log/audit/auto.log

Version-Release number of selected component (if applicable):
[root@jsefler-7server ~]# rpm -q subscription-manager python-rhsm selinux-policy
subscription-manager-1.10.6-1.git.36.3351fd6.el7.x86_64
python-rhsm-1.10.6-1.git.3.49e9f2d.el7.x86_64
selinux-policy-3.12.1-99.el7.noarch


How reproducible:


Steps to Reproduce:
First, I'll demonstrate this working and then demonstrate the failure...

[root@jsefler-7server ~]# subscription-manager clean
All local data removed
[root@jsefler-7server ~]# subscription-manager config --rhsm.consumercertdir=/etc/pki/consumer --rhsmcertd.certcheckinterval=1 
[root@jsefler-7server ~]# subscription-manager register --username=testuser1 --password=password --org=admin --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin --insecure
The system has been registered with ID: eeb66b27-b810-4f3e-ac54-257df3377182 
[root@jsefler-7server ~]# systemctl restart  rhsmcertd.service
[root@jsefler-7server ~]# tail -f /var/log/rhsm/rhsmcertd.log
Thu Nov 14 11:50:06 2013 [INFO] rhsmcertd is shutting down...
Thu Nov 14 11:50:06 2013 [INFO] Starting rhsmcertd...
Thu Nov 14 11:50:06 2013 [INFO] Auto-attach interval: 1440.0 minute(s) [86400 second(s)]
Thu Nov 14 11:50:06 2013 [INFO] Cert check interval: 1.0 minute(s) [60 second(s)]
Thu Nov 14 11:50:06 2013 [INFO] Waiting 120 second(s) [2.0 minute(s)] before running updates.
Thu Nov 14 11:51:07 2013 [INFO] (Cert Check) Certificates updated.
^C
[root@jsefler-7server ~]# 

NOTICE "(Cert Check) Certificates updated." INDICATING A SUCCESS.
Now let's test with a non-default consumerCertDir set to the /tmp directory

[root@jsefler-7server ~]# subscription-manager clean
All local data removed
[root@jsefler-7server ~]# subscription-manager config --rhsm.consumercertdir=/tmp/consumer --rhsmcertd.certcheckinterval=1
[root@jsefler-7server ~]# subscription-manager register --username=testuser1 --password=password --org=admin --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin --insecure
The system has been registered with ID: 0e4f7e08-2b1e-4fa2-a87a-7da5f83d5fb8 
[root@jsefler-7server ~]# systemctl restart  rhsmcertd.service
[root@jsefler-7server ~]# tail -f /var/log/rhsm/rhsmcertd.log
Thu Nov 14 11:55:19 2013 [INFO] rhsmcertd is shutting down...
Thu Nov 14 11:55:19 2013 [INFO] Starting rhsmcertd...
Thu Nov 14 11:55:19 2013 [INFO] Auto-attach interval: 1440.0 minute(s) [86400 second(s)]
Thu Nov 14 11:55:19 2013 [INFO] Cert check interval: 1.0 minute(s) [60 second(s)]
Thu Nov 14 11:55:19 2013 [INFO] Waiting 120 second(s) [2.0 minute(s)] before running updates.
Thu Nov 14 11:56:19 2013 [WARN] (Cert Check) Update failed (255), retry will occur on next run.
^C
[root@jsefler-7server ~]# 

BANG! "(Cert Check) Update failed (255), retry will occur on next run."
I expected that to succeed with "(Cert Check) Certificates updated."

[root@jsefler-7server ~]# tail -f /var/log/rhsm/rhsm.log
2013-11-14 11:56:19,685 [ERROR] rhsmcertd-worker @rhsmcertd-worker:43 - Either the consumer is not registered or the certificates are corrupted. Certificate update using daemon failed.



Additional info:
[root@jsefler-7server ~]# grep -i denied /var/log/audit/audit.log
[root@jsefler-7server ~]# 
I see no denials ^
Comment 2 Carter Kozak 2014-01-22 15:44:56 UTC 
Could you retest with selinux disabled?
Comment 3 John Sefler 2014-01-29 20:29:27 UTC 
Testing with...
[root@jsefler-7 ~]# rpm -q subscription-manager selinux-policy
subscription-manager-1.10.11-1.el7.x86_64
selinux-policy-3.12.1-121.el7.noarch

[root@jsefler-7 ~]# setenforce 1
[root@jsefler-7 ~]# getenforce 
Enforcing

When Enforcing selinux, rhsmcertd fails as demonstrated in comment 0

[root@jsefler-7 ~]# tail -f /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1391027244.605:118819): avc:  denied  { open } for  pid=20875 comm="rhsmcertd-worke" path="/tmp/consumer/key.pem" dev="dm-1" ino=9126242 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file




[root@jsefler-7 ~]# setenforce 0
[root@jsefler-7 ~]# getenforce 
Permissive

When turning off selinux, rhsmcertd succeeds with a non-default rhsm.consumercertdir=/tmp/consumer
Comment 4 John Sefler 2014-01-29 20:36:28 UTC 
I don't know enough about configuring an selinux policy to allow subscription-manager's rhsm.conf to be configured with non-default values and still enforce selinux.  This was not a problem on rhel5 and rhel6.

Maybe mgrepl has a suggestion on rhel7.

Or maybe this is exactly what we expect of selinux and rhel5 and rhel6 were too permissive.

NEEDINFO
Comment 5 Adrian Likins 2014-01-30 20:00:42 UTC 
I'd lean towards this being "working as designed". 

The in between step would be to point consumerCertDir to another directory with the same selinux labeling and checking if that works. (Say, move it from /etc/pki/consumer to /etc/pki/consumer2 should preserve the labels)
Comment 6 John Sefler 2014-01-30 21:17:45 UTC 
Configuring /etc/pki/consumer2 works fine; this is not blocked by selinux on rhel70.

I'd also lean toward this being "working as designed".

Closing as NOTABUG is acceptable with me.
Comment 7 Miroslav Grepl 2014-01-31 11:22:31 UTC 
Yes, this is OK that SELinux complains about that. We dont' want to allow to read random user temp content.
Note You need to log in before you can comment on or make changes to this bug.