1207167 – sync from sat6 server to capsule doesn't work and can see qpidd related avc denials on capsule

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1207167 - sync from sat6 server to capsule doesn't work and can see qpidd related avc denials on capsule

Summary: sync from sat6 server to capsule doesn't work and can see qpidd related avc d...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Foreman Proxy
Sub Component:
Version:	6.1.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	Unspecified
Assignee:	Katello Bug Bin
QA Contact:	Sachin Ghai
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-03-30 11:26 UTC by Sachin Ghai
Modified:	2019-04-01 20:26 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-08-12 14:01:40 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Sachin Ghai 2015-03-30 11:26:10 UTC

Description of problem:
I configured a external capsule with sat6 and was trying sync. But looks like sync doesn't work. Also I'm getting following errors on capsule under /var/log/messages:

--

Mar 30 16:41:18 dhcp207-72 goferd: [ERROR][worker-0] gofer.messaging.adapter.proton.connection:106 - connect: proton+amqps://dhcp201-113.englab.pnq.redhat.com:5647, failed: Connection amqps://dhcp201-113.englab.pnq.redhat.com:5647 disconnected
Mar 30 16:41:18 dhcp207-72 goferd: [INFO][worker-0] gofer.messaging.adapter.proton.connection:108 - retry in 106 seconds
--

avc: denied messages under audit.log  -- This is from capsule node
===================================


type=AVC msg=audit(1427704851.539:2975): avc:  denied  { read } for pid=9191 comm="qpidd" path="/etc/rc.d/init.d/qpidd" dev=dm-0 ino=2885391 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:qpidd_initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1427704852.146:2978): avc:  denied  { read } for pid=9206 comm="restorecon" path="/etc/rc.d/init.d/qpidd" dev=dm-0 ino=2885391 scontext=unconfined_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:qpidd_initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1427704852.367:2981): avc:  denied  { read } for pid=9228 comm="qpidd" path="/etc/rc.d/init.d/qpidd" dev=dm-0 ino=2885391 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:qpidd_initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1427707809.443:3174): avc:  denied  { read } for pid=13745 comm="restorecon" path="/etc/rc.d/init.d/qpidd" dev=dm-0 ino=2885391 scontext=unconfined_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:qpidd_initrc_exec_t:s0 tclass=file
type=AVC msg=audit(1427707809.650:3177): avc:  denied  { read } for pid=13767 comm="qpidd" path="/etc/rc.d/init.d/qpidd" dev=dm-0 ino=2885391 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:qpidd_initrc_exec_t:s0 tclass=file

Version-Release number of selected component (if applicable):
sat6.1 beta snap8

on capsule following qpid related packages are installed.

[root@dhcpxxx yum.repos.d]# rpm -qa | grep qpid
qpid-qmf-0.30-5.el6.x86_64
libqpid-dispatch-0.4-2.20150223.el6.x86_64
dhcp207-72.lab.eng.pnq.redhat.com-qpid-router-client-1.0-1.noarch
python-qpid-0.30-6.el6.noarch
qpid-proton-c-0.9-1.20150223.el6.x86_64
qpid-cpp-server-0.30-7.proton.0.9.el6.x86_64
python-gofer-qpid-2.6.1-1.el6_6sat.noarch
python-qpid-proton-0.9-1.20150223.el6.x86_64
qpid-dispatch-router-0.4-2.20150223.el6.x86_64
dhcp207-72.lab.eng.pnq.redhat.com-qpid-router-server-1.0-1.noarch
dhcp207-72.lab.eng.pnq.redhat.com-qpid-broker-1.0-1.noarch
qpid-cpp-client-0.30-7.proton.0.9.el6.x86_64
qpid-tools-0.30-4.el6.noarch
dhcp207-72.lab.eng.pnq.redhat.com-qpid-client-cert-1.0-1.noarch
python-qpid-qmf-0.30-5.el6.x86_64
qpid-cpp-server-linearstore-0.30-7.proton.0.9.el6.x86_64


How reproducible:
always

Steps to Reproduce:
1.
2.
3.

Actual results:
qpidd related avc denials on external capsule. sync from sat6 server to capsule doesn't work

Expected results:
no avc denials and sync should work.

Additional info:

Comment 3 Og Maciel 2015-03-30 13:19:26 UTC

I have a RHEL 6.6 capsule configured with Puppet, Puppet CA, Discovery and Pulp features and talking to a RHEL 7.1 Satellite system and, though I see the denied selinux messages, I had no issues synchronizing or serving content off the capsule:

# grep denied -ni /var/log/audit/audit.log
7456:type=AVC msg=audit(1427399809.888:7444): avc:  denied  { read } for  pid=16083 comm="qpidd" path="/etc/rc.d/init.d/qpidd" dev=dm-0 ino=3147870 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:qpidd_initrc_exec_t:s0 tclass=file
7460:type=AVC msg=audit(1427399810.604:7447): avc:  denied  { read } for  pid=16096 comm="restorecon" path="/etc/rc.d/init.d/qpidd" dev=dm-0 ino=3147870 scontext=unconfined_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:qpidd_initrc_exec_t:s0 tclass=file
7464:type=AVC msg=audit(1427399810.773:7450): avc:  denied  { read } for  pid=16118 comm="qpidd" path="/etc/rc.d/init.d/qpidd" dev=dm-0 ino=3147870 scontext=unconfined_u:system_r:qpidd_t:s0 tcontext=system_u:object_r:qpidd_initrc_exec_t:s0 tclass=file

Comment 4 Sachin Ghai 2015-03-31 07:59:49 UTC

On Satellite server, I was getting following errors in /var/log/messages:

]# tail -f /var/log/messages
Mar 31 11:44:24 dhcp201-113 qdrouterd: Tue Mar 31 11:44:24 2015 SERVER (error) SSL credentials failed on connection from ::90c2:9b3c:be7f:0%677555712:51759 to 0.0.0.0:5646
Mar 31 11:44:26 dhcp201-113 qdrouterd: Tue Mar 31 11:44:26 2015 SERVER (error) SSL credentials failed on connection from ::90f2:1b3e:be7f:0%677555712:42594 to 0.0.0.0:5647
Mar 31 11:44:29 dhcp201-113 qdrouterd: Tue Mar 31 11:44:29 2015 SERVER (error) SSL credentials failed on connection from ::90f2:1b3e:be7f:0%677555712:51761 to 0.0.0.0:5646
Mar 31 11:44:34 dhcp201-113 qdrouterd: Tue Mar 31 11:44:34 2015 SERVER (error) SSL credentials failed on connection from ::9002:9c3e:be7f:0%677555712:51762 to 0.0.0.0:5646
Mar 31 11:44:39 dhcp201-113 qdrouterd: Tue Mar 31 11:44:39 2015 SERVER (error) SSL credentials failed on connection from ::90f2:1b3e:be7f:0%677555712:51763 to 0.0.0.0:5646


I just restarted the  qdrouterd (Qpid Dispatch router) on sat6 server and sync started again..

Comment 5 Corey Welton 2015-03-31 13:28:28 UTC

I think the above is three different issues.

* selinux issues possibly one bug
* SSL/qrouterd a different bz
* gofer.messaging.adapter.proton.connection a third (reported at https://bugzilla.redhat.com/show_bug.cgi?id=1205893)

I should note that for last of these, restarting qpidd on sat/cap and possibly goferd on capsule did not resolve anything...

Comment 6 Mike McCune 2015-04-06 19:26:01 UTC

Can we re-test this with SNAP10/RC4 to see if we are still getting similar errors and narrow this bug down to a more specific case?

Spoke to Og on IRC, he gave me a +1

Comment 7 Sachin Ghai 2015-04-07 13:24:13 UTC

Ok, Moving this to verified as capsule sync is working fine for me with snap9 rc4(Satellite-6.1.0-RHEL-6-20150406.0). 

However I'm still getting avc denials related to qpid (as in comment 4) on rhel6 capsule. I'll file another bz for avc denials issue.

Comment 8 Sachin Ghai 2015-04-07 13:38:29 UTC

Filed bz: https://bugzilla.redhat.com/show_bug.cgi?id=1209495 ( for avc denials)

Comment 9 Bryan Kearney 2015-08-11 13:27:24 UTC

This bug is slated to be released with Satellite 6.1.

Comment 10 Bryan Kearney 2015-08-12 14:01:40 UTC

This bug was fixed in version 6.1.1 of Satellite which was released on 12 August, 2015.

Note You need to log in before you can comment on or make changes to this bug.