RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1923985 - [RHEL-8] avc: denied { node_bind } for pid=50272 comm="rhsmcertd-worke"
Summary: [RHEL-8] avc: denied { node_bind } for pid=50272 comm="rhsmcertd-worke"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.4
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: rc
: 8.4
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
: 1925305 1925472 1925702 1926742 1930447 1930920 2015216 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-02-02 11:25 UTC by zguo
Modified: 2021-10-26 02:40 UTC (History)
27 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: An update in the subscription-manager package makes rhsmcertd-worker bind to a generic node, but this permission is missing in the selinux policy. Consequence: rhsmcertd-worker cannot bind to a particular ip address. Fix: A rule was added to the policy. Result: rhsmcertd-worker can bind to a particular ip address.
Clone Of:
Environment:
Last Closed: 2021-05-18 14:58:20 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 5554231 0 None None None 2021-02-17 13:17:06 UTC

Internal Links: 1923006 2015216

Comment 2 Zdenek Pytela 2021-02-04 20:40:55 UTC 
*** Bug 1925305 has been marked as a duplicate of this bug. ***
Comment 3 Zdenek Pytela 2021-02-05 19:16:29 UTC 
*** Bug 1925472 has been marked as a duplicate of this bug. ***
Comment 4 Ondrej Mosnacek 2021-02-05 22:23:10 UTC 
*** Bug 1925702 has been marked as a duplicate of this bug. ***
Comment 6 Zdenek Pytela 2021-02-09 11:51:20 UTC 
*** Bug 1926742 has been marked as a duplicate of this bug. ***
Comment 7 PaulB 2021-02-12 23:41:42 UTC 
All,
The Bugzilla is still in NEW state.
Is this on the radar?
Just checking so it does not sneak by :)

---------------------------
Issue is easily reproduced:
---------------------------
distro: RHEL-8.4.0-20210209.n.0 BaseOS aarch64
kernel: 4.18.0-283.el8
task: /kernel/filesystems/nfs/connectathon 3.0-94
selinux-policy: 3.14.3-62.el8.noarch

job: 
https://beaker.engineering.redhat.com/recipes/9544329#task121729187
https://beaker-archive.host.prod.eng.bos.redhat.com/beaker-logs/2021/02/50837/5083732/9544329/121729187/569082869/avc.log


Best,
pbunyan
Comment 8 Zdenek Pytela 2021-02-15 10:32:18 UTC 
This bz as well as its rhel 9 version bz#1923006 awaits information from subscription manager developers. Given the current state of RHEL 8.4, impact or justification would be helpful for possible inclusion decision.

Chris,

The node_bind SELinux permission is requested for rhsmcertd-worker in current RHEL 8 and 9, but it was not needed until recently. Did something change in this service which requires the permission?
Comment 9 James Hartsock 2021-02-17 12:43:08 UTC 
With subscription-manager-1.27.18-1.el8_3 now GA via RHBA-2021:0566 ... this issue is impacting customers.


# rpm -qf /bin/rhsmcertd
subscription-manager-1.27.18-1.el8_3.x86_64


# ausearch --input-logs --message avc,user_avc,avc_path --success no --format text
At 05:19:22 02/17/2021 system, acting as root, unsuccessfully accessed-mac-policy-controlled-object using /usr/libexec/platform-python3.6


# ausearch --input-logs --message avc,user_avc,avc_path --success no
----
time->Wed Feb 17 05:19:22 2021
type=PROCTITLE msg=audit(1613560762.896:7143): proctitle=2F7573722F6C6962657865632F706C6174666F726D2D707974686F6E002F7573722F6C6962657865632F7268736D63657274642D776F726B6572

type=SYSCALL msg=audit(1613560762.896:7143): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=7fff2b035c50 a2=1c a3=31 items=0 ppid=1273 pid=42572 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="rhsmcertd-worke" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(1613560762.896:7143): avc:  denied  { node_bind } for  pid=42572 comm="rhsmcertd-worke" saddr=::1 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket permissive=0
Comment 10 Zdenek Pytela 2021-02-17 16:29:59 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/598
Comment 14 James Hartsock 2021-02-17 17:42:44 UTC 
(In reply to Zdenek Pytela from comment #12)
> James,
> 
> In the kbase, there are 2 different and likely independent issues described.
> The first one, for running kpatch, is in RHEL 8.3 since GA. The other, for
> binding to ::1, could be a result of some subscription manager update (not
> confirmed by maintainers yet).
> 
> While workaround for the latter is correct, for the former one is not
> sufficient.

Other than formatting, all I did was add following today for the work-around...
  # echo "(allow rhsmcertd_t node_t (tcp_socket (node_bind)))" >> rhsmcertd_execute_kpatch.cil

And they may be unrelated, but they were both noted in the original BZ 1895322 and both AVC for same rpm (even same binary) in RHEL 8.3
Comment 22 Milos Malik 2021-02-19 07:50:20 UTC 
*** Bug 1930447 has been marked as a duplicate of this bug. ***
Comment 24 Milos Malik 2021-02-25 09:51:30 UTC 
This AVC is related to IPv6 kernel module and it can happen on any machine where the IPv6 is disabled. Please see the discussion in https://bugzilla.redhat.com/show_bug.cgi?id=1931450
Comment 25 Yongcheng Yang 2021-02-25 10:49:55 UTC 
Thanks for the information! I also found another similar bug https://bugzilla.redhat.com/show_bug.cgi?id=1926256

I'll follow this issue from that bugs and now cancel my needinfo flag.
Comment 28 Zdenek Pytela 2021-03-11 16:14:27 UTC 
*** Bug 1930920 has been marked as a duplicate of this bug. ***
Comment 31 yuk 2021-04-19 15:06:09 UTC 
> Zdenek Pytela 2021-02-18 08:10:29 UTC
> Status: POST → MODIFIED

> Ondrej Mosnacek 2021-02-18 10:31:36 UTC
> Keywords: AutoVerified

> errata-xmlrpc 2021-02-18 10:48:11 UTC
> Status: MODIFIED → ON_QA

> Milos Malik 2021-02-18 10:52:51 UTC
> Status: ON_QA → VERIFIED

Kindly, what is the actual state of this bug?
Comment 32 Branislav Náter 2021-04-19 15:16:25 UTC 
(In reply to yuk from comment #31)
> > Zdenek Pytela 2021-02-18 08:10:29 UTC
> > Status: POST → MODIFIED
> 
> > Ondrej Mosnacek 2021-02-18 10:31:36 UTC
> > Keywords: AutoVerified
> 
> > errata-xmlrpc 2021-02-18 10:48:11 UTC
> > Status: MODIFIED → ON_QA
> 
> > Milos Malik 2021-02-18 10:52:51 UTC
> > Status: ON_QA → VERIFIED
> 
> Kindly, what is the actual state of this bug?

Bug is in VERIFIED state = This bug fix has successfully finished testing by the Assigned Quality Engineer.
Fix should be present in next minor update (rhel-8.4).
Comment 34 errata-xmlrpc 2021-05-18 14:58:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1639
Comment 36 Zhiqiang Fang 2021-10-26 02:40:11 UTC 
*** Bug 2015216 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.