Bug 1030560 - rhsmcertd fails to update when rhsm.consumerCertDir configuration is changed
rhsmcertd fails to update when rhsm.consumerCertDir configuration is changed
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: subscription-manager (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: candlepin-bugs
John Sefler
: Regression
Depends On:
Blocks: rhsm-rhel70
  Show dependency treegraph
 
Reported: 2013-11-14 12:03 EST by John Sefler
Modified: 2014-01-31 06:22 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-01-31 06:22:31 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Sefler 2013-11-14 12:03:57 EST
Description of problem:
rhsmcertd fails to update on its scheduled rhsmcertd.certCheckInterval when rhsm.consumerCertDir configuration is changed.  I suspected an selinux policy is blocking this, but I do not see any denials in /var/log/audit/auto.log

Version-Release number of selected component (if applicable):
[root@jsefler-7server ~]# rpm -q subscription-manager python-rhsm selinux-policy
subscription-manager-1.10.6-1.git.36.3351fd6.el7.x86_64
python-rhsm-1.10.6-1.git.3.49e9f2d.el7.x86_64
selinux-policy-3.12.1-99.el7.noarch


How reproducible:


Steps to Reproduce:
First, I'll demonstrate this working and then demonstrate the failure...

[root@jsefler-7server ~]# subscription-manager clean
All local data removed
[root@jsefler-7server ~]# subscription-manager config --rhsm.consumercertdir=/etc/pki/consumer --rhsmcertd.certcheckinterval=1 
[root@jsefler-7server ~]# subscription-manager register --username=testuser1 --password=password --org=admin --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin --insecure
The system has been registered with ID: eeb66b27-b810-4f3e-ac54-257df3377182 
[root@jsefler-7server ~]# systemctl restart  rhsmcertd.service
[root@jsefler-7server ~]# tail -f /var/log/rhsm/rhsmcertd.log
Thu Nov 14 11:50:06 2013 [INFO] rhsmcertd is shutting down...
Thu Nov 14 11:50:06 2013 [INFO] Starting rhsmcertd...
Thu Nov 14 11:50:06 2013 [INFO] Auto-attach interval: 1440.0 minute(s) [86400 second(s)]
Thu Nov 14 11:50:06 2013 [INFO] Cert check interval: 1.0 minute(s) [60 second(s)]
Thu Nov 14 11:50:06 2013 [INFO] Waiting 120 second(s) [2.0 minute(s)] before running updates.
Thu Nov 14 11:51:07 2013 [INFO] (Cert Check) Certificates updated.
^C
[root@jsefler-7server ~]# 

NOTICE "(Cert Check) Certificates updated." INDICATING A SUCCESS.
Now let's test with a non-default consumerCertDir set to the /tmp directory

[root@jsefler-7server ~]# subscription-manager clean
All local data removed
[root@jsefler-7server ~]# subscription-manager config --rhsm.consumercertdir=/tmp/consumer --rhsmcertd.certcheckinterval=1
[root@jsefler-7server ~]# subscription-manager register --username=testuser1 --password=password --org=admin --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin --insecure
The system has been registered with ID: 0e4f7e08-2b1e-4fa2-a87a-7da5f83d5fb8 
[root@jsefler-7server ~]# systemctl restart  rhsmcertd.service
[root@jsefler-7server ~]# tail -f /var/log/rhsm/rhsmcertd.log
Thu Nov 14 11:55:19 2013 [INFO] rhsmcertd is shutting down...
Thu Nov 14 11:55:19 2013 [INFO] Starting rhsmcertd...
Thu Nov 14 11:55:19 2013 [INFO] Auto-attach interval: 1440.0 minute(s) [86400 second(s)]
Thu Nov 14 11:55:19 2013 [INFO] Cert check interval: 1.0 minute(s) [60 second(s)]
Thu Nov 14 11:55:19 2013 [INFO] Waiting 120 second(s) [2.0 minute(s)] before running updates.
Thu Nov 14 11:56:19 2013 [WARN] (Cert Check) Update failed (255), retry will occur on next run.
^C
[root@jsefler-7server ~]# 

BANG! "(Cert Check) Update failed (255), retry will occur on next run."
I expected that to succeed with "(Cert Check) Certificates updated."

[root@jsefler-7server ~]# tail -f /var/log/rhsm/rhsm.log
2013-11-14 11:56:19,685 [ERROR] rhsmcertd-worker @rhsmcertd-worker:43 - Either the consumer is not registered or the certificates are corrupted. Certificate update using daemon failed.



Additional info:
[root@jsefler-7server ~]# grep -i denied /var/log/audit/audit.log
[root@jsefler-7server ~]# 
I see no denials ^
Comment 2 Carter Kozak 2014-01-22 10:44:56 EST
Could you retest with selinux disabled?
Comment 3 John Sefler 2014-01-29 15:29:27 EST
Testing with...
[root@jsefler-7 ~]# rpm -q subscription-manager selinux-policy
subscription-manager-1.10.11-1.el7.x86_64
selinux-policy-3.12.1-121.el7.noarch

[root@jsefler-7 ~]# setenforce 1
[root@jsefler-7 ~]# getenforce 
Enforcing

When Enforcing selinux, rhsmcertd fails as demonstrated in comment 0

[root@jsefler-7 ~]# tail -f /var/log/audit/audit.log | grep denied
type=AVC msg=audit(1391027244.605:118819): avc:  denied  { open } for  pid=20875 comm="rhsmcertd-worke" path="/tmp/consumer/key.pem" dev="dm-1" ino=9126242 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file




[root@jsefler-7 ~]# setenforce 0
[root@jsefler-7 ~]# getenforce 
Permissive

When turning off selinux, rhsmcertd succeeds with a non-default rhsm.consumercertdir=/tmp/consumer
Comment 4 John Sefler 2014-01-29 15:36:28 EST
I don't know enough about configuring an selinux policy to allow subscription-manager's rhsm.conf to be configured with non-default values and still enforce selinux.  This was not a problem on rhel5 and rhel6.

Maybe mgrepl@redhat.com has a suggestion on rhel7.

Or maybe this is exactly what we expect of selinux and rhel5 and rhel6 were too permissive.

NEEDINFO
Comment 5 Adrian Likins 2014-01-30 15:00:42 EST
I'd lean towards this being "working as designed". 

The in between step would be to point consumerCertDir to another directory with the same selinux labeling and checking if that works. (Say, move it from /etc/pki/consumer to /etc/pki/consumer2 should preserve the labels)
Comment 6 John Sefler 2014-01-30 16:17:45 EST
Configuring /etc/pki/consumer2 works fine; this is not blocked by selinux on rhel70.

I'd also lean toward this being "working as designed".

Closing as NOTABUG is acceptable with me.
Comment 7 Miroslav Grepl 2014-01-31 06:22:31 EST
Yes, this is OK that SELinux complains about that. We dont' want to allow to read random user temp content.

Note You need to log in before you can comment on or make changes to this bug.