Hide Forgot
Description of problem: rhsmcertd fails to update on its scheduled rhsmcertd.certCheckInterval when rhsm.consumerCertDir configuration is changed. I suspected an selinux policy is blocking this, but I do not see any denials in /var/log/audit/auto.log Version-Release number of selected component (if applicable): [root@jsefler-7server ~]# rpm -q subscription-manager python-rhsm selinux-policy subscription-manager-1.10.6-1.git.36.3351fd6.el7.x86_64 python-rhsm-1.10.6-1.git.3.49e9f2d.el7.x86_64 selinux-policy-3.12.1-99.el7.noarch How reproducible: Steps to Reproduce: First, I'll demonstrate this working and then demonstrate the failure... [root@jsefler-7server ~]# subscription-manager clean All local data removed [root@jsefler-7server ~]# subscription-manager config --rhsm.consumercertdir=/etc/pki/consumer --rhsmcertd.certcheckinterval=1 [root@jsefler-7server ~]# subscription-manager register --username=testuser1 --password=password --org=admin --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin --insecure The system has been registered with ID: eeb66b27-b810-4f3e-ac54-257df3377182 [root@jsefler-7server ~]# systemctl restart rhsmcertd.service [root@jsefler-7server ~]# tail -f /var/log/rhsm/rhsmcertd.log Thu Nov 14 11:50:06 2013 [INFO] rhsmcertd is shutting down... Thu Nov 14 11:50:06 2013 [INFO] Starting rhsmcertd... Thu Nov 14 11:50:06 2013 [INFO] Auto-attach interval: 1440.0 minute(s) [86400 second(s)] Thu Nov 14 11:50:06 2013 [INFO] Cert check interval: 1.0 minute(s) [60 second(s)] Thu Nov 14 11:50:06 2013 [INFO] Waiting 120 second(s) [2.0 minute(s)] before running updates. Thu Nov 14 11:51:07 2013 [INFO] (Cert Check) Certificates updated. ^C [root@jsefler-7server ~]# NOTICE "(Cert Check) Certificates updated." INDICATING A SUCCESS. Now let's test with a non-default consumerCertDir set to the /tmp directory [root@jsefler-7server ~]# subscription-manager clean All local data removed [root@jsefler-7server ~]# subscription-manager config --rhsm.consumercertdir=/tmp/consumer --rhsmcertd.certcheckinterval=1 [root@jsefler-7server ~]# subscription-manager register --username=testuser1 --password=password --org=admin --serverurl=jsefler-f14-candlepin.usersys.redhat.com:8443/candlepin --insecure The system has been registered with ID: 0e4f7e08-2b1e-4fa2-a87a-7da5f83d5fb8 [root@jsefler-7server ~]# systemctl restart rhsmcertd.service [root@jsefler-7server ~]# tail -f /var/log/rhsm/rhsmcertd.log Thu Nov 14 11:55:19 2013 [INFO] rhsmcertd is shutting down... Thu Nov 14 11:55:19 2013 [INFO] Starting rhsmcertd... Thu Nov 14 11:55:19 2013 [INFO] Auto-attach interval: 1440.0 minute(s) [86400 second(s)] Thu Nov 14 11:55:19 2013 [INFO] Cert check interval: 1.0 minute(s) [60 second(s)] Thu Nov 14 11:55:19 2013 [INFO] Waiting 120 second(s) [2.0 minute(s)] before running updates. Thu Nov 14 11:56:19 2013 [WARN] (Cert Check) Update failed (255), retry will occur on next run. ^C [root@jsefler-7server ~]# BANG! "(Cert Check) Update failed (255), retry will occur on next run." I expected that to succeed with "(Cert Check) Certificates updated." [root@jsefler-7server ~]# tail -f /var/log/rhsm/rhsm.log 2013-11-14 11:56:19,685 [ERROR] rhsmcertd-worker @rhsmcertd-worker:43 - Either the consumer is not registered or the certificates are corrupted. Certificate update using daemon failed. Additional info: [root@jsefler-7server ~]# grep -i denied /var/log/audit/audit.log [root@jsefler-7server ~]# I see no denials ^
Could you retest with selinux disabled?
Testing with... [root@jsefler-7 ~]# rpm -q subscription-manager selinux-policy subscription-manager-1.10.11-1.el7.x86_64 selinux-policy-3.12.1-121.el7.noarch [root@jsefler-7 ~]# setenforce 1 [root@jsefler-7 ~]# getenforce Enforcing When Enforcing selinux, rhsmcertd fails as demonstrated in comment 0 [root@jsefler-7 ~]# tail -f /var/log/audit/audit.log | grep denied type=AVC msg=audit(1391027244.605:118819): avc: denied { open } for pid=20875 comm="rhsmcertd-worke" path="/tmp/consumer/key.pem" dev="dm-1" ino=9126242 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file [root@jsefler-7 ~]# setenforce 0 [root@jsefler-7 ~]# getenforce Permissive When turning off selinux, rhsmcertd succeeds with a non-default rhsm.consumercertdir=/tmp/consumer
I don't know enough about configuring an selinux policy to allow subscription-manager's rhsm.conf to be configured with non-default values and still enforce selinux. This was not a problem on rhel5 and rhel6. Maybe mgrepl has a suggestion on rhel7. Or maybe this is exactly what we expect of selinux and rhel5 and rhel6 were too permissive. NEEDINFO
I'd lean towards this being "working as designed". The in between step would be to point consumerCertDir to another directory with the same selinux labeling and checking if that works. (Say, move it from /etc/pki/consumer to /etc/pki/consumer2 should preserve the labels)
Configuring /etc/pki/consumer2 works fine; this is not blocked by selinux on rhel70. I'd also lean toward this being "working as designed". Closing as NOTABUG is acceptable with me.
Yes, this is OK that SELinux complains about that. We dont' want to allow to read random user temp content.