1930920 – /usr/libexec/rhsmcertd-worker (rhsmcertd_t) tries node_t:tcp_socket node_bind

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1930920 - /usr/libexec/rhsmcertd-worker (rhsmcertd_t) tries node_t:tcp_socket node_bind

Summary: /usr/libexec/rhsmcertd-worker (rhsmcertd_t) tries node_t:tcp_socket node_bind

Keywords:
Status:	CLOSED DUPLICATE of bug 1923985
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.3
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Zdenek Pytela
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1932158 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-02-19 19:18 UTC by Robert Scheck
Modified:	2022-01-05 13:43 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-03-11 16:14:27 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 598	0	None	closed	Allow rhsmcertd bind tcp sockets to a generic node	2021-03-11 16:00:14 UTC

Description Robert Scheck 2021-02-19 19:18:49 UTC

Description of problem:
type=AVC msg=audit(1613749791.671:84): avc:  denied  { node_bind } for  pid=931 comm="rhsmcertd-worke" saddr=::1 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1613749791.671:84): arch=x86_64 syscall=bind success=no exit=EACCES a0=4 a1=7ffd52ab7900 a2=1c a3=31 items=0 ppid=674 pid=931 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rhsmcertd-worke exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:rhsmcertd_t:s0 key=(null)

Version-Release number of selected component (if applicable):
platform-python-3.6.8-31.el8.x86_64
subscription-manager-1.27.18-1.el8_3.x86_64
selinux-policy-targeted-3.14.3-54.el8_3.2.noarch

How reproducible:
Not sure, just happened while no administrative tasks were performed. Likely caused because there was some Internet access interruption, but this IMHO still should not lead to such a SELinux denial message.

Actual results:
/usr/libexec/rhsmcertd-worker (rhsmcertd_t) tries node_t:tcp_socket node_bind

Expected results:
Allow or dontaudit, whatever is suitable. Or fix subscription-manager code.

Additional info:
/var/log/rhsm/rhsmcertd.log:
Fri Feb 19 16:49:52 2021 [WARN] (Cert Check) Update failed (255), retry will occur on next run.

/var/log/rhsm/rhsm.log:
2021-02-19 16:49:51,897 [ERROR] rhsmcertd-worker:931:MainThread @rhsmcertd_worker.py:226 - Error while updating certificates using daemon
2021-02-19 16:49:51,898 [ERROR] rhsmcertd-worker:931:MainThread @rhsmcertd_worker.py:228 - [Errno 101] Network is unreachable
Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/subscription_manager/scripts/rhsmcertd_worker.py", line 217, in main
    _main(options, log)
  File "/usr/lib64/python3.6/site-packages/subscription_manager/scripts/rhsmcertd_worker.py", line 151, in _main
    cp.supports_resource(None)  # pre-load supported resources; serves as a way of failing before locking the repos
  File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 975, in supports_resource
    self._load_supported_resources()
  File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 952, in _load_supported_resources
    resources_list = self.conn.request_get("/")
  File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 882, in request_get
    return self._request("GET", method, headers=headers, cert_key_pairs=cert_key_pairs)
  File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 908, in _request
    info=info, headers=headers, cert_key_pairs=cert_key_pairs)
  File "/usr/lib64/python3.6/site-packages/rhsm/connection.py", line 706, in _request
    conn.request(request_type, handler, body=body, headers=final_headers)
  File "/usr/lib64/python3.6/http/client.py", line 1254, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/lib64/python3.6/http/client.py", line 1300, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/lib64/python3.6/http/client.py", line 1249, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib64/python3.6/http/client.py", line 1036, in _send_output
    self.send(msg)
  File "/usr/lib64/python3.6/http/client.py", line 974, in send
    self.connect()
  File "/usr/lib64/python3.6/http/client.py", line 1414, in connect
    super().connect()
  File "/usr/lib64/python3.6/http/client.py", line 946, in connect
    (self.host,self.port), self.timeout, self.source_address)
  File "/usr/lib64/python3.6/socket.py", line 724, in create_connection
    raise err
  File "/usr/lib64/python3.6/socket.py", line 713, in create_connection
    sock.connect(sa)
OSError: [Errno 101] Network is unreachable

Comment 1 Robert Scheck 2021-02-19 19:23:02 UTC

Cross-filed case 02874310 at the Red Hat customer portal.

Comment 2 Robert Scheck 2021-02-22 12:15:51 UTC

Meanwhile we're getting flooded by these messages from about every RHEL system after the latest updates - even there was no hiccup regarding the network connectivity:

grep subscription-manager /var/log/*dnf*:
/var/log/dnf.rpm.log:2021-02-22T08:43:11Z SUBDEBUG Upgrade: dnf-plugin-subscription-manager-1.27.18-1.el8_3.x86_64
/var/log/dnf.rpm.log:2021-02-22T08:43:11Z SUBDEBUG Upgrade: subscription-manager-rhsm-certificates-1.27.18-1.el8_3.x86_64
/var/log/dnf.rpm.log:2021-02-22T08:43:11Z SUBDEBUG Upgrade: python3-subscription-manager-rhsm-1.27.18-1.el8_3.x86_64
/var/log/dnf.rpm.log:2021-02-22T08:43:11Z SUBDEBUG Upgrade: subscription-manager-1.27.18-1.el8_3.x86_64
/var/log/dnf.rpm.log:2021-02-22T08:44:08Z SUBDEBUG Upgraded: subscription-manager-1.27.16-1.el8.x86_64
/var/log/dnf.rpm.log:2021-02-22T08:44:08Z SUBDEBUG Upgraded: python3-subscription-manager-rhsm-1.27.16-1.el8.x86_64
/var/log/dnf.rpm.log:2021-02-22T08:44:08Z SUBDEBUG Upgraded: subscription-manager-rhsm-certificates-1.27.16-1.el8.x86_64
/var/log/dnf.rpm.log:2021-02-22T08:44:08Z SUBDEBUG Upgraded: dnf-plugin-subscription-manager-1.27.16-1.el8.x86_64

/var/log/audit/audit.log:
type=AVC msg=audit(1613992383.227:110048): avc:  denied  { node_bind } for  pid=790844 comm="rhsmcertd-worke" saddr=::1 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket permissive=0

/var/log/rhsm/rhsmcertd.log:
Mon Feb 22 12:13:19 2021 [INFO] (Cert Check) Certificates updated.

/var/log/rhsm/rhsm.log:
2021-02-22 12:13:05,533 [INFO] rhsmcertd-worker:790844:MainThread @entcertlib.py:131 - certs updated:
Total updates: 0
Found (local) serial# [<removed>]
Expected (UEP) serial# [<removed>]
Added (new)
  <NONE>
Deleted (rogue):
  <NONE>
2021-02-22 12:13:10,725 [WARNING] rhsmcertd-worker:790844:MainThread @dmiinfo.py:130 - Error reading system DMI information: # SMBIOS implementations newer than version 2.7 are not
# fully supported by this version of dmidecode.

NoneType: None
2021-02-22 12:13:10,924 [WARNING] rhsmcertd-worker:790844:MainThread @dmiinfo.py:130 - Error reading system DMI information: # SMBIOS implementations newer than version 2.7 are not
# fully supported by this version of dmidecode.

NoneType: None
2021-02-22 12:13:12,471 [INFO] rhsmcertd-worker:790844:MainThread @factlib.py:100 - Facts have been updated.

Comment 3 Robert Scheck 2021-03-01 14:17:01 UTC

Cross-filed case 02881290 at the Red Hat customer portal (other customer).

Comment 5 Jiri Hnidek 2021-03-11 15:56:59 UTC

I can reproduce this issue on Fedora and RHEL8.

When I build and use rhsmcertd SELinux module from master branch at https://github.com/fedora-selinux/selinux-policy using:


[root@localhost contrib]# make -f /usr/share/selinux/devel/Makefile rhsmcertd.pp

[root@localhost contrib]# semodule -i rhsmcertd.pp 
libsemanage.semanage_direct_install_info: Overriding rhsmcertd module at lower priority 100 with module at priority 400.

[root@localhost contrib]# semodule -r rhsmcertd
libsemanage.semanage_direct_remove_key: rhsmcertd module at priority 100 is now active.


Then the SELinux issue is fixed. Not sure what exactly fixed this issue (probably this rule corenet_tcp_bind_generic_node(rhsmcertd_t) in following PR:

https://github.com/fedora-selinux/selinux-policy/pull/598


Master branch of selinux-policy cannot be applied to RHEL8. It will be necessary to backport this to RHEL8.


There is workaround for RHEL8:


Create fix_rhsmcertd.te with following content:

module foo 1.0;

require {
	type node_t;
	type rhsmcertd_t;
	class tcp_socket node_bind;
}

#============= rhsmcertd_t ==============

allow rhsmcertd_t node_t:tcp_socket node_bind;


[root@localhost]# make -f /usr/share/selinux/devel/Makefile fix_rhsmcertd.pp

[root@localhost]# semodule -i fix_rhsmcertd.pp

Comment 6 Zdenek Pytela 2021-03-11 16:14:27 UTC

The permission has already been added to the policy and the fix should be a part of RHEL 8.4 GA.

*** This bug has been marked as a duplicate of bug 1923985 ***

Comment 7 Jiri Hnidek 2021-03-16 14:22:59 UTC

*** Bug 1932158 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.