1623376 – selinux denials for rhsmcertd process when the system is configured with a proxy port (other than default 3128)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1623376 - selinux denials for rhsmcertd process when the system is configured with a proxy port (other than default 3128)

Summary: selinux denials for rhsmcertd process when the system is configured with a pr...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-08-29 08:43 UTC by Rehana
Modified:	2018-09-05 09:13 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-09-05 09:13:36 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1576423	0	unspecified	CLOSED	proxy_port from rhsm.conf not used	2021-02-22 00:41:40 UTC

Internal Links: 1576423

Description Rehana 2018-08-29 08:43:51 UTC

Description of problem:
With the fix for the Bug 1576423, subscription manager now respects the proxy server running on port other than 3128

Version-Release number of selected component (if applicable):
# subscription-manager version
server type: Red Hat Subscription Management
subscription management server: 2.3.9-1
subscription management rules: 5.26
subscription-manager: 1.21.7-1.el7

# rpm -qa selinux*
selinux-policy-3.13.1-219.el7.noarch
selinux-policy-targeted-3.13.1-219.el7.noarch

How reproducible:
Always

Steps to Reproduce:
1.Configure proxy on the system ,Note : Configure proxy port on any port other than 3128.
In this test , below is the configurataion used
  proxy_hostname = auto-services.usersys.redhat.com
   proxy_password = redhat
   proxy_port = 3127
   proxy_user = redhat

2.Now register the system --> Observed that system is registered successfully
3.Wait for rhsmcertd to run ( make sure to set splay=0 and certcheck interval to a shorter duration to reproduce the error quickly) 

Actual results:
rhsmcertd failed to run 

Expected results:
rhsmcertd Should run successfully, and now that subscription manager respects any proxy port with the implementaion of  bug 1576423 the fix for this  bug  should be considering the possibility of that ,as the proxy port is configurable now.


Additional info:

rhsmcertd.log 
============

Tue Aug 28 20:08:22 2018 [INFO] Waiting 2.0 minutes plus 0 splay seconds [120 seconds total] before performing first auto-attach.
Tue Aug 28 20:08:22 2018 [INFO] Waiting 2.0 minutes plus 0 splay seconds [120 seconds total] before performing first cert check.
Tue Aug 28 20:10:22 2018 [WARN] (Cert Check) Update failed (255), retry will occur on next run.
Tue Aug 28 20:10:22 2018 [WARN] (Auto-attach) Update failed (255), retry will occur on next run.


rhsm.log
----------

error: [Errno 13] Permission denied
2018-08-28 20:10:22,922 [INFO] rhsmcertd-worker:4923:MainThread @rhsmcertd_worker.py:70 - X-Correlation-ID: 86ef4d014d604ae7aecf680d73cdf0c4
2018-08-28 20:10:22,925 [INFO] rhsmcertd-worker:4923:MainThread @connection.py:871 - Connection built: http_proxy=auto-services.usersys.redhat.com:3127 host=subscription.rhsm.stage.redhat.com port=443 handler=/subscription auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2018-08-28 20:10:22,927 [ERROR] rhsmcertd-worker:4923:MainThread @rhsmcertd_worker.py:148 - Error while updating certificates using daemon
2018-08-28 20:10:22,928 [ERROR] rhsmcertd-worker:4923:MainThread @rhsmcertd_worker.py:150 - [Errno 13] Permission denied
Traceback (most recent call last):
  File "/usr/lib64/python2.7/site-packages/subscription_manager/scripts/rhsmcertd_worker.py", line 139, in main
    _main(options, log)
  File "/usr/lib64/python2.7/site-packages/subscription_manager/scripts/rhsmcertd_worker.py", line 80, in _main
    cp.supports_resource(None)  # pre-load supported resources; serves as a way of failing before locking the repos
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 897, in supports_resource
    self._load_supported_resources()
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 884, in _load_supported_resources
    resources_list = self.conn.request_get("/")
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 693, in request_get
    return self._request("GET", method, headers=headers)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 719, in _request
    info=info, headers=headers)
  File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 557, in _request
    conn.request(request_type, handler, body=body, headers=final_headers)
  File "/usr/lib64/python2.7/httplib.py", line 1041, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1075, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/httplib.py", line 1037, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 881, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 843, in send
    self.connect()
  File "/usr/lib64/python2.7/httplib.py", line 1251, in connect
    HTTPConnection.connect(self)
  File "/usr/lib64/python2.7/httplib.py", line 824, in connect
    self.timeout, self.source_address)
  File "/usr/lib64/python2.7/socket.py", line 571, in create_connection
    raise err
error: [Errno 13] Permission denied

ausearch -m AVC -m USER_AVC -m SELINUX_ERR


time->Tue Aug 28 20:10:22 2018
type=PROCTITLE msg=audit(1535467222.722:246): proctitle=2F7573722F62696E2F707974686F6E002F7573722F6C6962657865632F7268736D63657274642D776F726B6572
type=SYSCALL msg=audit(1535467222.722:246): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7ffe602c8c00 a2=10 a3=79 items=0 ppid=4821 pid=4918 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/bin/python2.7" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(1535467222.722:246): avc:  denied  { name_connect } for  pid=4918 comm="rhsmcertd-worke" dest=3127 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
----
time->Tue Aug 28 20:10:22 2018
type=PROCTITLE msg=audit(1535467222.926:247): proctitle=2F7573722F62696E2F707974686F6E002F7573722F6C6962657865632F7268736D63657274642D776F726B6572002D2D6175746F6865616C
type=SYSCALL msg=audit(1535467222.926:247): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=7fffc304fdc0 a2=10 a3=79 items=0 ppid=4821 pid=4923 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/bin/python2.7" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(1535467222.926:247): avc:  denied  { name_connect } for  pid=4923 comm="rhsmcertd-worke" dest=3127 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0

Comment 3 Milos Malik 2018-09-04 14:04:54 UTC

Because you use a different port than the usual one, a local customization of SELinux policy is needed: Please run following command:

# semanage port -a -t squid_port_t -p tcp 3127

As a result, rhsmcertd process will be able to connect to TCP port 3217.

If you want to remove this local customization, please run following command:

# semanage port -d -t squid_port_t -p tcp 3127

Usually, rhsmcert process is able to connect to TCP port 3128 because:

# seinfo --protocol tcp --portcon=3128
	portcon tcp 3128 system_u:object_r:squid_port_t:s0
	portcon tcp 1024-32767 system_u:object_r:unreserved_port_t:s0
#

and

# sesearch -s rhsmcertd_t -t squid_port_t -c tcp_socket -p name_connect -A -C
Found 1 semantic av rules:
   allow rhsmcertd_t squid_port_t : tcp_socket name_connect ; 
#

Note You need to log in before you can comment on or make changes to this bug.