Bug 1932158
| Summary: | SELinux is preventing rhsmcertd-worke from node_bind access on the tcp_socket port None. | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Ian Laurie <nixuser> | ||||||
| Component: | subscription-manager | Assignee: | candlepin-bugs | ||||||
| Status: | CLOSED DUPLICATE | QA Contact: | Red Hat subscription-manager QE Team <rhsm-qe> | ||||||
| Severity: | low | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | CentOS Stream | CC: | bstinson, carl, jhnidek, jwboyer, redakkan, rpm | ||||||
| Target Milestone: | rc | Flags: | pm-rhel:
mirror+
|
||||||
| Target Release: | --- | ||||||||
| Hardware: | x86_64 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2021-03-16 14:23:00 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Hi Ian Laurie, Thank you for opening the bug. Can you please share the subscription-manager version you have installed on the system ? It will be helpful if you can set the debug mode "on" (ex : subscription-manager config --logging.default_log_level=DEBUG ) in the rhsmcertd and share the /var/log/rhsm/rhsm.log details , it will helps in troubleshooting . thanks, Rehana Created attachment 1760294 [details]
rhsm log
Hi Rehana,
I am running subscription-manager-1.28.12-1.el8.x86_64 currently. Updates are run routinely on this machine, typically whenever the VM is started up. Base system is Fedora 33 running QEMU/KVM. I can't be certain I was running the same version of subscription-manager back when I reported the bug, but it would have been whatever was the latest at the time.
Somewhat awkwardly, I'm not seeing this issue currently.
I have looked at the logs in /var/log/rhsm and found the one with errors in it from around Feb 24 which is when I had the problem. Unfortunately the log level will be whatever was the default at the time, so not sure if the errors in the file will be useful enough to work out why it happened. The log previous to the one I am uploading also has these same errors, if you want that one I can give it to you but I think it's just more of the same.
I have a similar but not quite identical issue on RHEL 8.3 with subscription-manager-1.27.18-1.el8_3.x86_64 as follows (I have enabled debug as per comment #1 and will get a log uploaded): SELinux is preventing rhsmcertd-worke from execute access on the file kpatch. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that rhsmcertd-worke should be allowed execute access on the kpatch file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'rhsmcertd-worke' --raw | audit2allow -M my-rhsmcertdworke # semodule -X 300 -i my-rhsmcertdworke.pp Additional Information: Source Context system_u:system_r:rhsmcertd_t:s0 Target Context system_u:object_r:kpatch_exec_t:s0 Target Objects kpatch [ file ] Source rhsmcertd-worke Source Path rhsmcertd-worke Port <Unknown> Host zooty.moose.blogdns.org Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8_3.2.noarch Local Policy RPM selinux-policy-targeted-3.14.3-54.el8_3.2.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name zooty.moose.blogdns.org Platform Linux zooty.moose.blogdns.org 4.18.0-240.15.1.el8_3.x86_64 #1 SMP Wed Feb 3 03:12:15 EST 2021 x86_64 x86_64 Alert Count 1 First Seen 2021-03-08 13:00:08 AEDT Last Seen 2021-03-08 13:00:08 AEDT Local ID cbb2b68a-7bb2-479c-9e05-378723fdc9f5 Raw Audit Messages type=AVC msg=audit(1615168808.860:188): avc: denied { execute } for pid=5979 comm="rhsmcertd-worke" name="kpatch" dev="dm-0" ino=50613118 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:kpatch_exec_t:s0 tclass=file permissive=1 Hash: rhsmcertd-worke,rhsmcertd_t,kpatch_exec_t,file,execute Created attachment 1761467 [details]
rhsm.log with debug
I am getting a total of 4 selinux alerts connected to rhsmcertd-worke when I boot rhel 8.3 (including the original one reported against CentOS Stream). The outstanding 2 are as follows:
SELinux is preventing rhsmcertd-worke from add_name access on the directory hawkey.log.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that rhsmcertd-worke should be allowed add_name access on the hawkey.log directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rhsmcertd-worke' --raw | audit2allow -M my-rhsmcertdworke
# semodule -X 300 -i my-rhsmcertdworke.pp
Additional Information:
Source Context system_u:system_r:rhsmcertd_t:s0
Target Context system_u:object_r:var_log_t:s0
Target Objects hawkey.log [ dir ]
Source rhsmcertd-worke
Source Path rhsmcertd-worke
Port <Unknown>
Host zooty.moose.blogdns.org
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8_3.2.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-54.el8_3.2.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name zooty.moose.blogdns.org
Platform Linux zooty.moose.blogdns.org
4.18.0-240.15.1.el8_3.x86_64 #1 SMP Wed Feb 3
03:12:15 EST 2021 x86_64 x86_64
Alert Count 1
First Seen 2021-03-08 13:58:40 AEDT
Last Seen 2021-03-08 13:58:40 AEDT
Local ID 6f2c2da9-0d2d-483f-af5e-47d0f0c070ec
Raw Audit Messages
type=AVC msg=audit(1615172320.37:110): avc: denied { add_name } for pid=3095 comm="rhsmcertd-worke" name="hawkey.log" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=1
Hash: rhsmcertd-worke,rhsmcertd_t,var_log_t,dir,add_name
=================================
and...
SELinux is preventing rhsmcertd-worke from create access on the file hawkey.log.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that rhsmcertd-worke should be allowed create access on the hawkey.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rhsmcertd-worke' --raw | audit2allow -M my-rhsmcertdworke
# semodule -X 300 -i my-rhsmcertdworke.pp
Additional Information:
Source Context system_u:system_r:rhsmcertd_t:s0
Target Context system_u:object_r:var_log_t:s0
Target Objects hawkey.log [ file ]
Source rhsmcertd-worke
Source Path rhsmcertd-worke
Port <Unknown>
Host zooty.moose.blogdns.org
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-54.el8_3.2.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-54.el8_3.2.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name zooty.moose.blogdns.org
Platform Linux zooty.moose.blogdns.org
4.18.0-240.15.1.el8_3.x86_64 #1 SMP Wed Feb 3
03:12:15 EST 2021 x86_64 x86_64
Alert Count 1
First Seen 2021-03-08 13:58:40 AEDT
Last Seen 2021-03-08 13:58:40 AEDT
Local ID e6a46363-64c0-426c-b4a6-486862247428
Raw Audit Messages
type=AVC msg=audit(1615172320.37:110): avc: denied { create } for pid=3095 comm="rhsmcertd-worke" name="hawkey.log" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
Hash: rhsmcertd-worke,rhsmcertd_t,var_log_t,file,create
Hi, original bug report is duplicate of following bug report: https://bugzilla.redhat.com/show_bug.cgi?id=1930920 It is duplicate of following bug: https://bugzilla.redhat.com/show_bug.cgi?id=1923985 This issue has been already solved. More details could be found in this PR: https://github.com/fedora-selinux/selinux-policy/pull/598 Jiri Hi, response to other comments: If you use upstream version of selinux-policy, then the rhsmcertd should be able to access kpatch information without any SELinux alert: https://github.com/zpytela/selinux-policy/commit/bc1b9f353d5019b17e16bddfca7488c47ec2534a https://github.com/zpytela/selinux-policy/commit/fd34e7e04a8b35f4a969d91d3bf50e4ee4091b38 We don't see any reason, why rhsmcertd should open hawkey.log. We suspect that behavior reported in comment #4 is caused by unusual changes in the system. Such changes could have two reasons: * Administrator of the system did some non-standard change with side-effects that was reported in this bug report. * System was compromised and SELinux prevented attacker to do other changes in the system or continue with the attack There is also no other bug report or customer cases with similar observations. Thank you for taking the time to report this issue to us. We appreciate the feedback and use reports such as this one to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution. If this issue is critical or in any way time sensitive, please raise a ticket through the regular Red Hat support channels to ensure it receives the proper attention and prioritization to assure a timely resolution. Jiri *** This bug has been marked as a duplicate of bug 1930920 *** |
Description of problem: SELinux is preventing rhsmcertd-worke from node_bind access on the tcp_socket port None. The SELinux Alert Browser is unable to manage the reporting of this for some reason (when I press the report button I get an empty dialog box and it hangs forever). From the details page: SELinux is preventing rhsmcertd-worke from node_bind access on the tcp_socket port None. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow system to run with NIS Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. Do setsebool -P nis_enabled 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that rhsmcertd-worke should be allowed node_bind access on the port None tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'rhsmcertd-worke' --raw | audit2allow -M my-rhsmcertdworke # semodule -X 300 -i my-rhsmcertdworke.pp Additional Information: Source Context system_u:system_r:rhsmcertd_t:s0 Target Context system_u:object_r:node_t:s0 Target Objects port None [ tcp_socket ] Source rhsmcertd-worke Source Path rhsmcertd-worke Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-3.14.3-63.el8.noarch Local Policy RPM selinux-policy-targeted-3.14.3-63.el8.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux centos.digiflex.com.au 4.18.0-277.el8.x86_64 #1 SMP Wed Feb 3 20:35:19 UTC 2021 x86_64 x86_64 Alert Count 2 First Seen 2021-02-24 12:31:58 AEDT Last Seen 2021-02-24 16:31:59 AEDT Local ID 5ce7e992-3561-4676-89ea-b2b28644e6b0 Raw Audit Messages type=AVC msg=audit(1614144719.503:287): avc: denied { node_bind } for pid=11046 comm="rhsmcertd-worke" saddr=::1 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket permissive=1 Hash: rhsmcertd-worke,rhsmcertd_t,node_t,tcp_socket,node_bind