1329475 – Selinux denials while starting rhsmcertd service

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1329475 - Selinux denials while starting rhsmcertd service

Summary: Selinux denials while starting rhsmcertd service

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Stefan Kremen
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1331457
TreeView+	depends on / blocked

Reported:	2016-04-22 03:21 UTC by Shwetha Kallesh
Modified:	2016-11-04 02:26 UTC (History)
CC List:	9 users (show)
Fixed In Version:	selinux-policy-3.13.1-89.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1331457 (view as bug list)
Environment:
Last Closed:	2016-11-04 02:26:58 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2283	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2016-11-03 13:36:25 UTC

Description Shwetha Kallesh 2016-04-22 03:21:29 UTC

Description of problem:
Selinux denials are observed while starting rhsmcertd service , hence certs are not automatically updated

Version-Release number of selected component (if applicable):
[root@dhcp35-180 ~]# rpm -qa | grep selinux-policy
selinux-policy-3.13.1-60.el7_2.3.noarch
selinux-policy-targeted-3.13.1-60.el7_2.3.noarch

[root@dhcp35-180 ~]# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.0.10-1
subscription management rules: 5.20
subscription-manager: 1.15.9-15.el7
python-rhsm: 1.15.4-5.el7
[root@dhcp35-180 ~]# 



How reproducible:


Steps to Reproduce:
[root@dhcp35-180 ~]# service auditd restart
Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service
[root@dhcp35-180 ~]# setenforce 1
[root@dhcp35-180 ~]# restorecon -Rv /etc /run /var
 
restorecon reset /etc/grub.d/00_tuned context system_u:object_r:usr_t:s0->system_u:object_r:etc_t:s0
restorecon reset /run/user/1000/keyring context unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:gkeyringd_tmp_t:s0
restorecon reset /run/user/1000/keyring/ssh context unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:gkeyringd_tmp_t:s0
restorecon reset /run/user/1000/keyring/pkcs11 context unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:gkeyringd_tmp_t:s0
restorecon reset /run/user/1000/keyring/gpg context unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:gkeyringd_tmp_t:s0
restorecon reset /run/user/1000/keyring/control context unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:gkeyringd_tmp_t:s0
restorecon:  Warning no default label for /run/lvmetad.pid
restorecon:  Warning no default label for /run/lock/subsys
restorecon:  Warning no default label for /run/lock/subsys/rhnsd
restorecon:  Warning no default label for /run/lock/subsys/network
restorecon:  Warning no default label for /run/initramfs
restorecon:  Warning no default label for /run/initramfs/rwtab
restorecon:  Warning no default label for /run/initramfs/state
restorecon:  Warning no default label for /run/initramfs/state/var
restorecon:  Warning no default label for /run/initramfs/state/var/lib
restorecon:  Warning no default label for /run/initramfs/state/var/lib/dhclient
restorecon:  Warning no default label for /run/initramfs/state/etc
restorecon:  Warning no default label for /run/initramfs/state/etc/sysconfig
restorecon:  Warning no default label for /run/initramfs/state/etc/sysconfig/network-scripts
restorecon:  Warning no default label for /run/initramfs/.need_shutdown
restorecon:  Warning no default label for /run/initramfs/log
restorecon reset /var/log/Xorg.9.log.old context system_u:object_r:var_log_t:s0->system_u:object_r:xserver_log_t:s0
restorecon reset /var/log/Xorg.9.log context system_u:object_r:var_log_t:s0->system_u:object_r:xserver_log_t:s0
restorecon:  Warning no default label for /var/tmp/systemd-private-dd81f27b3c1c4d7ba3e31f118a0fc920-rtkit-daemon.service-QMfsH6
restorecon:  Warning no default label for /var/tmp/systemd-private-dd81f27b3c1c4d7ba3e31f118a0fc920-rtkit-daemon.service-QMfsH6/tmp
restorecon:  Warning no default label for /var/tmp/systemd-private-dd81f27b3c1c4d7ba3e31f118a0fc920-spice-vdagentd.service-pw4hGA
restorecon:  Warning no default label for /var/tmp/systemd-private-dd81f27b3c1c4d7ba3e31f118a0fc920-spice-vdagentd.service-pw4hGA/tmp
restorecon:  Warning no default label for /var/tmp/systemd-private-dd81f27b3c1c4d7ba3e31f118a0fc920-cups.service-UJJq5H
restorecon:  Warning no default label for /var/tmp/systemd-private-dd81f27b3c1c4d7ba3e31f118a0fc920-cups.service-UJJq5H/tmp
restorecon:  Warning no default label for /var/tmp/systemd-private-dd81f27b3c1c4d7ba3e31f118a0fc920-colord.service-CdxxzH
restorecon:  Warning no default label for /var/tmp/systemd-private-dd81f27b3c1c4d7ba3e31f118a0fc920-colord.service-CdxxzH/tmp
[root@dhcp35-180 ~]#
[root@dhcp35-180 ~]# START_DATE_TIME=`date "+%m/%d/%Y %T"`
 
[root@dhcp35-180 ~]# service rhsmcertd restart
Redirecting to /bin/systemctl restart  rhsmcertd.service
[root@dhcp35-180 ~]# sleep 120
 
[root@dhcp35-180 ~]# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
----
type=SYSCALL msg=audit(04/21/2016 19:12:42.277:742) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x5 a1=0x7fff8c911470 a2=0x10 a3=0x79 items=0 ppid=7715 pid=7753 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(04/21/2016 19:12:42.277:742) : avc:  denied  { name_connect } for  pid=7753 comm=rhsmcertd-worke dest=3129 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:netport_port_t:s0 tclass=tcp_socket
----
type=SYSCALL msg=audit(04/21/2016 19:12:42.286:743) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x5 a1=0x7fff8c911230 a2=0x10 a3=0x79 items=0 ppid=7715 pid=7753 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(04/21/2016 19:12:42.286:743) : avc:  denied  { name_connect } for  pid=7753 comm=rhsmcertd-worke dest=3129 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:netport_port_t:s0 tclass=tcp_socket
----
type=SYSCALL msg=audit(04/21/2016 19:12:42.539:744) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x5 a1=0x7ffd2ef92590 a2=0x10 a3=0x79 items=0 ppid=7715 pid=7756 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(04/21/2016 19:12:42.539:744) : avc:  denied  { name_connect } for  pid=7756 comm=rhsmcertd-worke dest=3129 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:netport_port_t:s0 tclass=tcp_socket
----
type=SYSCALL msg=audit(04/21/2016 19:12:42.543:745) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x5 a1=0x7ffd2ef924f0 a2=0x10 a3=0x79 items=0 ppid=7715 pid=7756 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(04/21/2016 19:12:42.543:745) : avc:  denied  { name_connect } for  pid=7756 comm=rhsmcertd-worke dest=3129 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:netport_port_t:s0 tclass=tcp_socket
----
type=SYSCALL msg=audit(04/21/2016 19:12:42.553:746) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x5 a1=0x7ffd2ef91d90 a2=0x10 a3=0x79 items=0 ppid=7715 pid=7756 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsmcertd-worke exe=/usr/bin/python2.7 subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(04/21/2016 19:12:42.553:746) : avc:  denied  { name_connect } for  pid=7756 comm=rhsmcertd-worke dest=3129 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:netport_port_t:s0 tclass=tcp_socket
[root@dhcp35-180 ~]#

[root@dhcp35-180 ~]# ps -efZ | grep unconfined_service_t
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 16672 16563  0 08:47 pts/0 00:00:00 grep --color=auto unconfined_service_t

[root@dhcp35-180 ~]# ps -efZ | grep rhsmd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 16644 16563  0 08:45 pts/0 00:00:00 grep --color=auto rhsmd


Actual results:


Expected results:


Additional info:

[root@dhcp35-180 ~]# tail -f /var/log/rhsm/rhsm.log
2016-04-21 19:12:44,213 [DEBUG] rhsmcertd-worker:7756 @hwprobe.py:776 - virt-what stdout: kvm
 
2016-04-21 19:12:44,213 [DEBUG] rhsmcertd-worker:7756 @hwprobe.py:777 - virt-what stderr:
2016-04-21 19:12:44,219 [INFO] rhsmcertd-worker:7756 @hwprobe.py:854 - collected virt facts: virt.is_guest=True, virt.host_type=kvm, virt.uuid=e30c6f0f-5e35-4513-99c8-03260090e0f1
2016-04-21 19:12:44,219 [DEBUG] rhsmcertd-worker:7756 @factlib.py:105 - Facts have not changed, skipping upload.
2016-04-21 19:12:44,220 [DEBUG] rhsmcertd-worker:7756 @base_action_client.py:85 - running lib: <subscription_manager.packageprofilelib.PackageProfileActionInvoker object at 0x18d85d0>
2016-04-21 19:12:44,220 [INFO] rhsmcertd-worker:7756 @cache.py:382 - Server does not support packages, skipping profile upload.
2016-04-21 19:12:44,220 [DEBUG] rhsmcertd-worker:7756 @base_action_client.py:85 - running lib: <subscription_manager.installedproductslib.InstalledProductsActionInvoker object at 0x18d8f10>
2016-04-21 19:12:44,220 [DEBUG] rhsmcertd-worker:7756 @cache.py:138 - Checking current system info against cache: /var/lib/rhsm/cache/installed_products.json
2016-04-21 19:12:44,221 [DEBUG] rhsmcertd-worker:7756 @cache.py:155 - No changes.
2016-04-21 19:17:01,684 [DEBUG] rhsmcertd-worker:7887 @base_action_client.py:85 - running lib: <subscription_manager.installedproductslib.InstalledProductsActionInvoker object at 0x2505590>
2016-04-21 19:17:01,685 [INFO] rhsmcertd-worker:7887 @connection.py:778 - Connection built: http_proxy=auto-services.usersys.redhat.com:3129 host=10.70.35.236 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ verify=False
2016-04-21 19:17:01,686 [DEBUG] rhsmcertd-worker:7887 @identity.py:131 - Loading consumer info from identity certificates.
2016-04-21 19:17:01,686 [DEBUG] rhsmcertd-worker:7887 @cache.py:138 - Checking current system info against cache: /var/lib/rhsm/cache/installed_products.json
2016-04-21 19:17:01,687 [DEBUG] rhsmcertd-worker:7887 @cache.py:155 - No changes.
2016-04-21 19:17:01,687 [DEBUG] rhsmcertd-worker:7887 @base_action_client.py:85 - running lib: <subscription_manager.healinglib.HealingActionInvoker object at 0x2505dd0>
2016-04-21 19:17:01,687 [DEBUG] rhsmcertd-worker:7887 @plugins.py:569 - loaded plugin modules: []
2016-04-21 19:17:01,687 [DEBUG] rhsmcertd-worker:7887 @plugins.py:570 - loaded plugins: {}
2016-04-21 19:17:01,688 [DEBUG] rhsmcertd-worker:7887 @connection.py:475 - Loaded CA certificates from /etc/rhsm/ca/: redhat-uep.pem, candlepin-ca.pem
2016-04-21 19:17:01,688 [DEBUG] rhsmcertd-worker:7887 @connection.py:508 - Using proxy: auto-services.usersys.redhat.com:3129
2016-04-21 19:17:01,689 [DEBUG] rhsmcertd-worker:7887 @connection.py:523 - Making request: GET https://10.70.35.236:8443/candlepin/consumers/8a41c9da-4c79-436b-96a4-d5e1ae884eb9
2016-04-21 19:17:02,060 [WARNING] rhsmcertd-worker:7887 @base_action_client.py:72 - Exception caught while running <subscription_manager.healinglib.HealingActionInvoker object at 0x2505dd0> update
2016-04-21 19:17:02,060 [ERROR] rhsmcertd-worker:7887 @base_action_client.py:73 - [Errno 13] Permission denied
Traceback (most recent call last):
  File "/usr/share/rhsm/subscription_manager/base_action_client.py", line 63, in _run_update
    update_report = lib.update()
  File "/usr/share/rhsm/subscription_manager/certlib.py", line 31, in update
    self.report = self.locker.run(self._do_update)
  File "/usr/share/rhsm/subscription_manager/certlib.py", line 17, in run
    return action()
  File "/usr/share/rhsm/subscription_manager/healinglib.py", line 41, in _do_update
    return action.perform()
  File "/usr/share/rhsm/subscription_manager/healinglib.py", line 75, in perform
    consumer = self.uep.getConsumer(uuid)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 1001, in getConsumer
    return self.conn.request_get(method)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 644, in request_get
    return self._request("GET", method)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 537, in _request
    conn.request(request_type, handler, body=body, headers=headers)
  File "/usr/lib64/python2.7/httplib.py", line 979, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1013, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 241, in endheaders
    httpslib.HTTPSConnection.endheaders(self)
  File "/usr/lib64/python2.7/httplib.py", line 975, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 835, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 797, in send
    self.connect()
  File "/usr/lib64/python2.7/site-packages/M2Crypto/httpslib.py", line 195, in connect
    HTTPConnection.connect(self)
  File "/usr/lib64/python2.7/httplib.py", line 778, in connect
    self.timeout, self.source_address)
  File "/usr/lib64/python2.7/socket.py", line 571, in create_connection
    raise err
error: [Errno 13] Permission denied
2016-04-21 19:17:02,062 [DEBUG] rhsmcertd-worker:7887 @base_action_client.py:85 - running lib: <subscription_manager.entcertlib.EntCertActionInvoker object at 0x24c63d0>
2016-04-21 19:17:02,062 [DEBUG] rhsmcertd-worker:7887 @connection.py:475 - Loaded CA certificates from /etc/rhsm/ca/: redhat-uep.pem, candlepin-ca.pem
2016-04-21 19:17:02,063 [DEBUG] rhsmcertd-worker:7887 @connection.py:508 - Using proxy: auto-services.usersys.redhat.com:3129
2016-04-21 19:17:02,063 [DEBUG] rhsmcertd-worker:7887 @connection.py:523 - Making request: GET https://10.70.35.236:8443/candlepin/consumers/8a41c9da-4c79-436b-96a4-d5e1ae884eb9/certificates/serials
2016-04-21 19:17:02,067 [ERROR] rhsmcertd-worker:7887 @entcertlib.py:121 - [Errno 13] Permission denied
Traceback (most recent call last):
  File "/usr/share/rhsm/subscription_manager/entcertlib.py", line 119, in perform
    expected = self._get_expected_serials()
  File "/usr/share/rhsm/subscription_manager/entcertlib.py", line 254, in _get_expected_serials
    exp = self.get_certificate_serials_list()
  File "/usr/share/rhsm/subscription_manager/entcertlib.py", line 234, in get_certificate_serials_list
    reply = self.uep.getCertificateSerials(identity.uuid)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 1097, in getCertificateSerials
    return self.conn.request_get(method)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 644, in request_get
    return self._request("GET", method)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 537, in _request
    conn.request(request_type, handler, body=body, headers=headers)
  File "/usr/lib64/python2.7/httplib.py", line 979, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1013, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 241, in endheaders
    httpslib.HTTPSConnection.endheaders(self)
  File "/usr/lib64/python2.7/httplib.py", line 975, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 835, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 797, in send
    self.connect()
  File "/usr/lib64/python2.7/site-packages/M2Crypto/httpslib.py", line 195, in connect
    HTTPConnection.connect(self)
  File "/usr/lib64/python2.7/httplib.py", line 778, in connect
    self.timeout, self.source_address)
  File "/usr/lib64/python2.7/socket.py", line 571, in create_connection
    raise err
error: [Errno 13] Permission denied
2016-04-21 19:17:02,067 [ERROR] rhsmcertd-worker:7887 @entcertlib.py:122 - Cannot modify subscriptions while disconnected
2016-04-21 19:17:02,068 [WARNING] rhsmcertd-worker:7887 @base_action_client.py:72 - Exception caught while running <subscription_manager.entcertlib.EntCertActionInvoker object at 0x24c63d0> update
2016-04-21 19:17:02,068 [ERROR] rhsmcertd-worker:7887 @base_action_client.py:73 -
Traceback (most recent call last):
  File "/usr/share/rhsm/subscription_manager/base_action_client.py", line 63, in _run_update
    update_report = lib.update()
  File "/usr/share/rhsm/subscription_manager/certlib.py", line 31, in update
    self.report = self.locker.run(self._do_update)
  File "/usr/share/rhsm/subscription_manager/certlib.py", line 17, in run
    return action()
  File "/usr/share/rhsm/subscription_manager/entcertlib.py", line 43, in _do_update
    return action.perform()
  File "/usr/share/rhsm/subscription_manager/entcertlib.py", line 123, in perform
    raise Disconnected()
Disconnected
2016-04-21 19:17:02,315 [DEBUG] rhsmcertd-worker:7890 @base_action_client.py:85 - running lib: <subscription_manager.entcertlib.EntCertActionInvoker object at 0x10c43d0>
2016-04-21 19:17:02,315 [INFO] rhsmcertd-worker:7890 @connection.py:778 - Connection built: http_proxy=auto-services.usersys.redhat.com:3129 host=10.70.35.236 port=8443 handler=/candlepin auth=identity_cert ca_dir=/etc/rhsm/ca/ verify=False
2016-04-21 19:17:02,315 [DEBUG] rhsmcertd-worker:7890 @identity.py:131 - Loading consumer info from identity certificates.
2016-04-21 19:17:02,316 [DEBUG] rhsmcertd-worker:7890 @connection.py:475 - Loaded CA certificates from /etc/rhsm/ca/: redhat-uep.pem, candlepin-ca.pem
2016-04-21 19:17:02,317 [DEBUG] rhsmcertd-worker:7890 @connection.py:508 - Using proxy: auto-services.usersys.redhat.com:3129
2016-04-21 19:17:02,317 [DEBUG] rhsmcertd-worker:7890 @connection.py:523 - Making request: GET https://10.70.35.236:8443/candlepin/consumers/8a41c9da-4c79-436b-96a4-d5e1ae884eb9/certificates/serials
2016-04-21 19:17:02,320 [ERROR] rhsmcertd-worker:7890 @entcertlib.py:121 - [Errno 13] Permission denied
Traceback (most recent call last):
  File "/usr/share/rhsm/subscription_manager/entcertlib.py", line 119, in perform
    expected = self._get_expected_serials()
  File "/usr/share/rhsm/subscription_manager/entcertlib.py", line 254, in _get_expected_serials
    exp = self.get_certificate_serials_list()
  File "/usr/share/rhsm/subscription_manager/entcertlib.py", line 234, in get_certificate_serials_list
    reply = self.uep.getCertificateSerials(identity.uuid)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 1097, in getCertificateSerials
    return self.conn.request_get(method)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 644, in request_get
    return self._request("GET", method)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 537, in _request
    conn.request(request_type, handler, body=body, headers=headers)
  File "/usr/lib64/python2.7/httplib.py", line 979, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1013, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 241, in endheaders
    httpslib.HTTPSConnection.endheaders(self)
  File "/usr/lib64/python2.7/httplib.py", line 975, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 835, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 797, in send
    self.connect()
  File "/usr/lib64/python2.7/site-packages/M2Crypto/httpslib.py", line 195, in connect
    HTTPConnection.connect(self)
  File "/usr/lib64/python2.7/httplib.py", line 778, in connect
    self.timeout, self.source_address)
  File "/usr/lib64/python2.7/socket.py", line 571, in create_connection
    raise err
error: [Errno 13] Permission denied
2016-04-21 19:17:02,321 [ERROR] rhsmcertd-worker:7890 @entcertlib.py:122 - Cannot modify subscriptions while disconnected
2016-04-21 19:17:02,322 [WARNING] rhsmcertd-worker:7890 @base_action_client.py:72 - Exception caught while running <subscription_manager.entcertlib.EntCertActionInvoker object at 0x10c43d0> update
2016-04-21 19:17:02,322 [ERROR] rhsmcertd-worker:7890 @base_action_client.py:73 -
Traceback (most recent call last):
  File "/usr/share/rhsm/subscription_manager/base_action_client.py", line 63, in _run_update
    update_report = lib.update()
  File "/usr/share/rhsm/subscription_manager/certlib.py", line 31, in update
    self.report = self.locker.run(self._do_update)
  File "/usr/share/rhsm/subscription_manager/certlib.py", line 17, in run
    return action()
  File "/usr/share/rhsm/subscription_manager/entcertlib.py", line 43, in _do_update
    return action.perform()
  File "/usr/share/rhsm/subscription_manager/entcertlib.py", line 123, in perform
    raise Disconnected()
Disconnected
2016-04-21 19:17:02,322 [DEBUG] rhsmcertd-worker:7890 @base_action_client.py:85 - running lib: <subscription_manager.identitycertlib.IdentityCertActionInvoker object at 0x1105fd0>
2016-04-21 19:17:02,323 [DEBUG] rhsmcertd-worker:7890 @connection.py:475 - Loaded CA certificates from /etc/rhsm/ca/: redhat-uep.pem, candlepin-ca.pem
2016-04-21 19:17:02,323 [DEBUG] rhsmcertd-worker:7890 @connection.py:508 - Using proxy: auto-services.usersys.redhat.com:3129
2016-04-21 19:17:02,323 [DEBUG] rhsmcertd-worker:7890 @connection.py:523 - Making request: GET https://10.70.35.236:8443/candlepin/consumers/8a41c9da-4c79-436b-96a4-d5e1ae884eb9
2016-04-21 19:17:02,326 [WARNING] rhsmcertd-worker:7890 @base_action_client.py:72 - Exception caught while running <subscription_manager.identitycertlib.IdentityCertActionInvoker object at 0x1105fd0> update
2016-04-21 19:17:02,326 [ERROR] rhsmcertd-worker:7890 @base_action_client.py:73 - [Errno 13] Permission denied
Traceback (most recent call last):
  File "/usr/share/rhsm/subscription_manager/base_action_client.py", line 63, in _run_update
    update_report = lib.update()
  File "/usr/share/rhsm/subscription_manager/certlib.py", line 31, in update
    self.report = self.locker.run(self._do_update)
  File "/usr/share/rhsm/subscription_manager/certlib.py", line 17, in run
    return action()
  File "/usr/share/rhsm/subscription_manager/identitycertlib.py", line 35, in _do_update
    return action.perform()
  File "/usr/share/rhsm/subscription_manager/identitycertlib.py", line 61, in perform
    return self._update_cert(identity)
  File "/usr/share/rhsm/subscription_manager/identitycertlib.py", line 71, in _update_cert
    consumer = self._get_consumer(identity)
  File "/usr/share/rhsm/subscription_manager/identitycertlib.py", line 89, in _get_consumer
    consumer = self.uep.getConsumer(identity.uuid)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 1001, in getConsumer
    return self.conn.request_get(method)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 644, in request_get
    return self._request("GET", method)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 537, in _request
    conn.request(request_type, handler, body=body, headers=headers)
  File "/usr/lib64/python2.7/httplib.py", line 979, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1013, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 241, in endheaders
    httpslib.HTTPSConnection.endheaders(self)
  File "/usr/lib64/python2.7/httplib.py", line 975, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 835, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 797, in send
    self.connect()
  File "/usr/lib64/python2.7/site-packages/M2Crypto/httpslib.py", line 195, in connect
    HTTPConnection.connect(self)
  File "/usr/lib64/python2.7/httplib.py", line 778, in connect
    self.timeout, self.source_address)
  File "/usr/lib64/python2.7/socket.py", line 571, in create_connection
    raise err
error: [Errno 13] Permission denied
2016-04-21 19:17:02,327 [DEBUG] rhsmcertd-worker:7890 @base_action_client.py:85 - running lib: <subscription_manager.content_action_client.ContentActionClient object at 0x1105590>
2016-04-21 19:17:02,327 [DEBUG] rhsmcertd-worker:7890 @base_action_client.py:85 - running lib: <subscription_manager.repolib.RepoActionInvoker object at 0x110f190>
2016-04-21 19:17:02,329 [DEBUG] rhsmcertd-worker:7890 @connection.py:475 - Loaded CA certificates from /etc/rhsm/ca/: redhat-uep.pem, candlepin-ca.pem
2016-04-21 19:17:02,329 [DEBUG] rhsmcertd-worker:7890 @connection.py:508 - Using proxy: auto-services.usersys.redhat.com:3129
2016-04-21 19:17:02,329 [DEBUG] rhsmcertd-worker:7890 @connection.py:523 - Making request: GET https://10.70.35.236:8443/candlepin/
2016-04-21 19:17:02,332 [WARNING] rhsmcertd-worker:7890 @base_action_client.py:72 - Exception caught while running <subscription_manager.repolib.RepoActionInvoker object at 0x110f190> update
2016-04-21 19:17:02,332 [ERROR] rhsmcertd-worker:7890 @base_action_client.py:73 - [Errno 13] Permission denied
Traceback (most recent call last):
  File "/usr/share/rhsm/subscription_manager/base_action_client.py", line 63, in _run_update
    update_report = lib.update()
  File "/usr/share/rhsm/subscription_manager/certlib.py", line 31, in update
    self.report = self.locker.run(self._do_update)
  File "/usr/share/rhsm/subscription_manager/certlib.py", line 17, in run
    return action()
  File "/usr/share/rhsm/subscription_manager/repolib.py", line 73, in _do_update
    action = RepoUpdateActionCommand(cache_only=self.cache_only)
  File "/usr/share/rhsm/subscription_manager/repolib.py", line 216, in __init__
    self.override_supported = bool(self.identity.is_valid() and self.uep and self.uep.supports_resource('content_overrides'))
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 804, in supports_resource
    self._load_supported_resources()
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 791, in _load_supported_resources
    resources_list = self.conn.request_get("/")
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 644, in request_get
    return self._request("GET", method)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 537, in _request
    conn.request(request_type, handler, body=body, headers=headers)
  File "/usr/lib64/python2.7/httplib.py", line 979, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1013, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 241, in endheaders
    httpslib.HTTPSConnection.endheaders(self)
  File "/usr/lib64/python2.7/httplib.py", line 975, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 835, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 797, in send
    self.connect()
  File "/usr/lib64/python2.7/site-packages/M2Crypto/httpslib.py", line 195, in connect
    HTTPConnection.connect(self)
  File "/usr/lib64/python2.7/httplib.py", line 778, in connect
    self.timeout, self.source_address)
  File "/usr/lib64/python2.7/socket.py", line 571, in create_connection
    raise err
error: [Errno 13] Permission denied
2016-04-21 19:17:02,333 [DEBUG] rhsmcertd-worker:7890 @plugins.py:569 - loaded plugin modules: []
2016-04-21 19:17:02,333 [DEBUG] rhsmcertd-worker:7890 @plugins.py:570 - loaded plugins: {}
2016-04-21 19:17:02,333 [DEBUG] rhsmcertd-worker:7890 @base_action_client.py:85 - running lib: <subscription_manager.factlib.FactsActionInvoker object at 0x1105cd0>
2016-04-21 19:17:02,368 [DEBUG] rhsmcertd-worker:7890 @hwprobe.py:554 - cpu info: {'cpu.cpu(s)': 1, 'cpu.core(s)_per_socket': 1, 'cpu.thread(s)_per_core': 1, 'cpu.topology_source': 'kernel /sys cpu sibling lists', 'cpu.cpu_socket(s)': 1}
2016-04-21 19:17:02,426 [DEBUG] rhsmcertd-worker:7890 @hwprobe.py:772 - Running 'virt-what'
2016-04-21 19:17:02,642 [DEBUG] rhsmcertd-worker:7890 @hwprobe.py:776 - virt-what stdout: kvm
 
2016-04-21 19:17:02,642 [DEBUG] rhsmcertd-worker:7890 @hwprobe.py:777 - virt-what stderr:
2016-04-21 19:17:02,648 [INFO] rhsmcertd-worker:7890 @hwprobe.py:854 - collected virt facts: virt.is_guest=True, virt.host_type=kvm, virt.uuid=e30c6f0f-5e35-4513-99c8-03260090e0f1
2016-04-21 19:17:02,648 [DEBUG] rhsmcertd-worker:7890 @factlib.py:105 - Facts have not changed, skipping upload.
2016-04-21 19:17:02,648 [DEBUG] rhsmcertd-worker:7890 @base_action_client.py:85 - running lib: <subscription_manager.packageprofilelib.PackageProfileActionInvoker object at 0x11055d0>
2016-04-21 19:17:02,649 [INFO] rhsmcertd-worker:7890 @cache.py:382 - Server does not support packages, skipping profile upload.
2016-04-21 19:17:02,649 [DEBUG] rhsmcertd-worker:7890 @base_action_client.py:85 - running lib: <subscription_manager.installedproductslib.InstalledProductsActionInvoker object at 0x1105f10>
2016-04-21 19:17:02,649 [DEBUG] rhsmcertd-worker:7890 @cache.py:138 - Checking current system info against cache: /var/lib/rhsm/cache/installed_products.json
2016-04-21 19:17:02,650 [DEBUG] rhsmcertd-worker:7890 @cache.py:155 - No changes.

Comment 8 Shwetha Kallesh 2016-07-18 12:46:58 UTC

No denials are found when rhsmcertd service is started and also demon successfully updates the certificates with following selinux-policy version

-bash-4.2# rpm -qa | grep selinux-policy
selinux-policy-3.13.1-89.el7.noarch
selinux-policy-targeted-3.13.1-89.el7.noarch


-bash-4.2# subscription-manager remove --all
1 subscription removed at the server.
1 local certificate has been deleted.
-bash-4.2# service auditd restart
Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service
-bash-4.2# setenforce 1
-bash-4.2# restorecon -Rv /etc /run /var
restorecon:  Warning no default label for /run/lvmetad.pid
restorecon:  Warning no default label for /run/lock/subsys
restorecon:  Warning no default label for /run/lock/subsys/rhnsd
restorecon:  Warning no default label for /run/lock/subsys/network
restorecon:  Warning no default label for /run/initramfs
restorecon:  Warning no default label for /run/initramfs/rwtab
restorecon:  Warning no default label for /run/initramfs/state
restorecon:  Warning no default label for /run/initramfs/state/var
restorecon:  Warning no default label for /run/initramfs/state/var/lib
restorecon:  Warning no default label for /run/initramfs/state/var/lib/dhclient
restorecon:  Warning no default label for /run/initramfs/state/etc
restorecon:  Warning no default label for /run/initramfs/state/etc/sysconfig
restorecon:  Warning no default label for /run/initramfs/state/etc/sysconfig/network-scripts
restorecon:  Warning no default label for /run/initramfs/.need_shutdown
restorecon:  Warning no default label for /run/initramfs/log
restorecon:  Warning no default label for /var/tmp/systemd-private-d20cd7139e8f4b26abd415b824b62c33-rtkit-daemon.service-PXkT60
restorecon:  Warning no default label for /var/tmp/systemd-private-d20cd7139e8f4b26abd415b824b62c33-rtkit-daemon.service-PXkT60/tmp
restorecon:  Warning no default label for /var/tmp/systemd-private-d20cd7139e8f4b26abd415b824b62c33-cups.service-C0tryI
restorecon:  Warning no default label for /var/tmp/systemd-private-d20cd7139e8f4b26abd415b824b62c33-cups.service-C0tryI/tmp
restorecon:  Warning no default label for /var/tmp/systemd-private-d20cd7139e8f4b26abd415b824b62c33-colord.service-uiheKg
restorecon:  Warning no default label for /var/tmp/systemd-private-d20cd7139e8f4b26abd415b824b62c33-colord.service-uiheKg/tmp
restorecon:  Warning no default label for /var/tmp/systemd-private-d20cd7139e8f4b26abd415b824b62c33-systemd-machined.service-dqjlXJ
restorecon:  Warning no default label for /var/tmp/systemd-private-d20cd7139e8f4b26abd415b824b62c33-systemd-machined.service-dqjlXJ/tmp
restorecon:  Warning no default label for /var/tmp/systemd-private-6873bc2571b74af3a971fc271c7813e7-rtkit-daemon.service-Md2Xgx
restorecon:  Warning no default label for /var/tmp/systemd-private-6873bc2571b74af3a971fc271c7813e7-rtkit-daemon.service-Md2Xgx/tmp
restorecon:  Warning no default label for /var/tmp/systemd-private-6873bc2571b74af3a971fc271c7813e7-cups.service-mhjPR7
restorecon:  Warning no default label for /var/tmp/systemd-private-6873bc2571b74af3a971fc271c7813e7-cups.service-mhjPR7/tmp
restorecon:  Warning no default label for /var/tmp/systemd-private-6873bc2571b74af3a971fc271c7813e7-colord.service-htSI21
restorecon:  Warning no default label for /var/tmp/systemd-private-6873bc2571b74af3a971fc271c7813e7-colord.service-htSI21/tmp
restorecon:  Warning no default label for /var/tmp/systemd-private-6873bc2571b74af3a971fc271c7813e7-systemd-machined.service-IMFPiT
restorecon:  Warning no default label for /var/tmp/systemd-private-6873bc2571b74af3a971fc271c7813e7-systemd-machined.service-IMFPiT/tmp
restorecon:  Warning no default label for /var/tmp/yum-root-FUiPei
restorecon:  Warning no default label for /var/tmp/systemd-private-6873bc2571b74af3a971fc271c7813e7-ntpd.service-9o8VLV
restorecon:  Warning no default label for /var/tmp/systemd-private-6873bc2571b74af3a971fc271c7813e7-ntpd.service-9o8VLV/tmp
restorecon:  Warning no default label for /var/tmp/sosreport-shwetha-workstation.usersys.redhat.com-20160711184513.tar.xz
restorecon:  Warning no default label for /var/tmp/sosreport-shwetha-workstation.usersys.redhat.com-20160711184513.tar.xz.md5
restorecon:  Warning no default label for /var/tmp/systemd-private-7acff4ee59f3464db67fd544c366f043-rtkit-daemon.service-KXIiOS
restorecon:  Warning no default label for /var/tmp/systemd-private-7acff4ee59f3464db67fd544c366f043-rtkit-daemon.service-KXIiOS/tmp
restorecon:  Warning no default label for /var/tmp/systemd-private-7acff4ee59f3464db67fd544c366f043-cups.service-12VTQ9
restorecon:  Warning no default label for /var/tmp/systemd-private-7acff4ee59f3464db67fd544c366f043-cups.service-12VTQ9/tmp
restorecon:  Warning no default label for /var/tmp/systemd-private-7acff4ee59f3464db67fd544c366f043-colord.service-d3GPkL
restorecon:  Warning no default label for /var/tmp/systemd-private-7acff4ee59f3464db67fd544c366f043-colord.service-d3GPkL/tmp
restorecon:  Warning no default label for /var/tmp/systemd-private-7acff4ee59f3464db67fd544c366f043-systemd-machined.service-VfOqOE
restorecon:  Warning no default label for /var/tmp/systemd-private-7acff4ee59f3464db67fd544c366f043-systemd-machined.service-VfOqOE/tmp
restorecon:  Warning no default label for /var/tmp/systemd-private-9dfe68a112934821b9ecfb41c27d2d0d-rtkit-daemon.service-DEkGLH
restorecon:  Warning no default label for /var/tmp/systemd-private-9dfe68a112934821b9ecfb41c27d2d0d-rtkit-daemon.service-DEkGLH/tmp
restorecon:  Warning no default label for /var/tmp/systemd-private-9dfe68a112934821b9ecfb41c27d2d0d-cups.service-W3fuSR
restorecon:  Warning no default label for /var/tmp/systemd-private-9dfe68a112934821b9ecfb41c27d2d0d-cups.service-W3fuSR/tmp
restorecon:  Warning no default label for /var/tmp/systemd-private-9dfe68a112934821b9ecfb41c27d2d0d-colord.service-57RpKf
restorecon:  Warning no default label for /var/tmp/systemd-private-9dfe68a112934821b9ecfb41c27d2d0d-colord.service-57RpKf/tmp
restorecon:  Warning no default label for /var/tmp/systemd-private-9dfe68a112934821b9ecfb41c27d2d0d-systemd-machined.service-3FaDFg
restorecon:  Warning no default label for /var/tmp/systemd-private-9dfe68a112934821b9ecfb41c27d2d0d-systemd-machined.service-3FaDFg/tmp
restorecon:  Warning no default label for /var/tmp/sosreport-shwetha-workstation.usersys.redhat.com-20160621193926.tar.xz
restorecon:  Warning no default label for /var/tmp/sosreport-shwetha-workstation.usersys.redhat.com-20160621193926.tar.xz.md5
restorecon:  Warning no default label for /var/tmp/sosreport-shwetha-workstation.usersys.redhat.com-20160622160626.tar.xz
restorecon:  Warning no default label for /var/tmp/sosreport-shwetha-workstation.usersys.redhat.com-20160622160626.tar.xz.md5
restorecon:  Warning no default label for /var/tmp/sosreport-shwetha-workstation.usersys.redhat.com-20160701194524.tar.xz
restorecon:  Warning no default label for /var/tmp/sosreport-shwetha-workstation.usersys.redhat.com-20160701194524.tar.xz.md5
-bash-4.2# START_DATE_TIME=`date "+%m/%d/%Y %T"`
-bash-4.2# service rhsmcertd restart
Redirecting to /bin/systemctl restart  rhsmcertd.service
-bash-4.2# sleep 120
-bash-4.2# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -i -ts ${START_DATE_TIME}
<no matches>
-bash-4.2# 
-bash-4.2# subscription-manager list --consumed
+-------------------------------------------+
   Consumed Subscriptions
+-------------------------------------------+
Subscription Name:   Red Hat Enterprise Linux OpenStack Platform, Standard (2-sockets)
Provides:            Oracle Java (for RHEL Server)
                     Red Hat Ceph Storage Calamari
                     Red Hat Enterprise Linux Server
                     Red Hat OpenStack Beta
                     Red Hat Enterprise MRG Messaging
                     dotNET on RHEL Beta (for RHEL Server)
                     Red Hat Software Collections (for RHEL Server)
                     Red Hat Beta
                     Red Hat Ceph Storage MON
                     dotNET on RHEL (for RHEL Server)
                     Red Hat Software Collections Beta (for RHEL Server)
                     Red Hat OpenStack
                     Red Hat Enterprise Linux Load Balancer (for RHEL Server)
                     Red Hat Ceph Storage
                     Red Hat CloudForms
                     Red Hat Enterprise Linux High Availability (for RHEL Server)
SKU:                 MCT2887
Contract:            
Account:             
Serial:              1429024697739920556
Pool ID:             8a99f98a55f48bdc0155fd5be4242613
Provides Management: No
Active:              True
Quantity Used:       1
Service Level:       Standard
Service Type:        L1-L3
Status Details:      Subscription is current
Subscription Type:   Stackable
Starts:              07/17/2016
Ends:                07/17/2017
System Type:         Physical

Comment 11 errata-xmlrpc 2016-11-04 02:26:58 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.