Bug 1932158 - SELinux is preventing rhsmcertd-worke from node_bind access on the tcp_socket port None.
Summary: SELinux is preventing rhsmcertd-worke from node_bind access on the tcp_socket...
Keywords:
Status: CLOSED DUPLICATE of bug 1930920
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: subscription-manager
Version: CentOS Stream
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: rc
: ---
Assignee: candlepin-bugs
QA Contact: Red Hat subscription-manager QE Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-02-24 05:42 UTC by Ian Laurie
Modified: 2021-03-16 14:23 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-03-16 14:23:00 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)
rhsm log (30.34 KB, text/plain)
2021-03-02 23:15 UTC, Ian Laurie
no flags Details
rhsm.log with debug (91.15 KB, text/plain)
2021-03-08 03:24 UTC, Ian Laurie
no flags Details

Description Ian Laurie 2021-02-24 05:42:09 UTC
Description of problem:
SELinux is preventing rhsmcertd-worke from node_bind access on the tcp_socket port None.

The SELinux Alert Browser is unable to manage the reporting of this for some reason (when I press the report button I get an empty dialog box and it hangs forever).

From the details page:

SELinux is preventing rhsmcertd-worke from node_bind access on the tcp_socket port None.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow system to run with NIS
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.

Do
setsebool -P nis_enabled 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that rhsmcertd-worke should be allowed node_bind access on the port None tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rhsmcertd-worke' --raw | audit2allow -M my-rhsmcertdworke
# semodule -X 300 -i my-rhsmcertdworke.pp

Additional Information:
Source Context                system_u:system_r:rhsmcertd_t:s0
Target Context                system_u:object_r:node_t:s0
Target Objects                port None [ tcp_socket ]
Source                        rhsmcertd-worke
Source Path                   rhsmcertd-worke
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.3-63.el8.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-63.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux centos.digiflex.com.au 4.18.0-277.el8.x86_64
                              #1 SMP Wed Feb 3 20:35:19 UTC 2021 x86_64 x86_64
Alert Count                   2
First Seen                    2021-02-24 12:31:58 AEDT
Last Seen                     2021-02-24 16:31:59 AEDT
Local ID                      5ce7e992-3561-4676-89ea-b2b28644e6b0

Raw Audit Messages
type=AVC msg=audit(1614144719.503:287): avc:  denied  { node_bind } for  pid=11046 comm="rhsmcertd-worke" saddr=::1 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=tcp_socket permissive=1


Hash: rhsmcertd-worke,rhsmcertd_t,node_t,tcp_socket,node_bind

Comment 1 Rehana 2021-03-02 15:09:32 UTC
Hi Ian Laurie, 

Thank you for opening the bug. Can you please share the subscription-manager version you have installed on the system ? 

It will be helpful if you can set the debug mode "on" (ex : subscription-manager config --logging.default_log_level=DEBUG )  in the rhsmcertd and share the /var/log/rhsm/rhsm.log details , it will helps in troubleshooting .

thanks,
Rehana

Comment 2 Ian Laurie 2021-03-02 23:15:19 UTC
Created attachment 1760294 [details]
rhsm log

Hi Rehana,

I am running subscription-manager-1.28.12-1.el8.x86_64 currently.  Updates are run routinely on this machine, typically whenever the VM is started up.  Base system is Fedora 33 running QEMU/KVM.  I can't be certain I was running the same version of subscription-manager back when I reported the bug, but it would have been whatever was the latest at the time.

Somewhat awkwardly, I'm not seeing this issue currently.

I have looked at the logs in /var/log/rhsm and found the one with errors in it from around Feb 24 which is when I had the problem.  Unfortunately the log level will be whatever was the default at the time, so not sure if the errors in the file will be useful enough to work out why it happened.  The log previous to the one I am uploading also has these same errors, if you want that one I can give it to you but I think it's just more of the same.

Comment 3 Ian Laurie 2021-03-08 02:13:44 UTC
I have a similar but not quite identical issue on RHEL 8.3 with subscription-manager-1.27.18-1.el8_3.x86_64 as follows (I have enabled debug as per comment #1 and will get a log uploaded):

SELinux is preventing rhsmcertd-worke from execute access on the file kpatch.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rhsmcertd-worke should be allowed execute access on the kpatch file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rhsmcertd-worke' --raw | audit2allow -M my-rhsmcertdworke
# semodule -X 300 -i my-rhsmcertdworke.pp

Additional Information:
Source Context                system_u:system_r:rhsmcertd_t:s0
Target Context                system_u:object_r:kpatch_exec_t:s0
Target Objects                kpatch [ file ]
Source                        rhsmcertd-worke
Source Path                   rhsmcertd-worke
Port                          <Unknown>
Host                          zooty.moose.blogdns.org
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.3-54.el8_3.2.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-54.el8_3.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     zooty.moose.blogdns.org
Platform                      Linux zooty.moose.blogdns.org
                              4.18.0-240.15.1.el8_3.x86_64 #1 SMP Wed Feb 3
                              03:12:15 EST 2021 x86_64 x86_64
Alert Count                   1
First Seen                    2021-03-08 13:00:08 AEDT
Last Seen                     2021-03-08 13:00:08 AEDT
Local ID                      cbb2b68a-7bb2-479c-9e05-378723fdc9f5

Raw Audit Messages
type=AVC msg=audit(1615168808.860:188): avc:  denied  { execute } for  pid=5979 comm="rhsmcertd-worke" name="kpatch" dev="dm-0" ino=50613118 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:kpatch_exec_t:s0 tclass=file permissive=1


Hash: rhsmcertd-worke,rhsmcertd_t,kpatch_exec_t,file,execute

Comment 4 Ian Laurie 2021-03-08 03:24:43 UTC
Created attachment 1761467 [details]
rhsm.log with debug

I am getting a total of 4 selinux alerts connected to rhsmcertd-worke when I boot rhel 8.3 (including the original one reported against CentOS Stream).  The outstanding 2 are as follows:

SELinux is preventing rhsmcertd-worke from add_name access on the directory hawkey.log.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rhsmcertd-worke should be allowed add_name access on the hawkey.log directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rhsmcertd-worke' --raw | audit2allow -M my-rhsmcertdworke
# semodule -X 300 -i my-rhsmcertdworke.pp

Additional Information:
Source Context                system_u:system_r:rhsmcertd_t:s0
Target Context                system_u:object_r:var_log_t:s0
Target Objects                hawkey.log [ dir ]
Source                        rhsmcertd-worke
Source Path                   rhsmcertd-worke
Port                          <Unknown>
Host                          zooty.moose.blogdns.org
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.3-54.el8_3.2.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-54.el8_3.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     zooty.moose.blogdns.org
Platform                      Linux zooty.moose.blogdns.org
                              4.18.0-240.15.1.el8_3.x86_64 #1 SMP Wed Feb 3
                              03:12:15 EST 2021 x86_64 x86_64
Alert Count                   1
First Seen                    2021-03-08 13:58:40 AEDT
Last Seen                     2021-03-08 13:58:40 AEDT
Local ID                      6f2c2da9-0d2d-483f-af5e-47d0f0c070ec

Raw Audit Messages
type=AVC msg=audit(1615172320.37:110): avc:  denied  { add_name } for  pid=3095 comm="rhsmcertd-worke" name="hawkey.log" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=1


Hash: rhsmcertd-worke,rhsmcertd_t,var_log_t,dir,add_name

=================================

and...

SELinux is preventing rhsmcertd-worke from create access on the file hawkey.log.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rhsmcertd-worke should be allowed create access on the hawkey.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rhsmcertd-worke' --raw | audit2allow -M my-rhsmcertdworke
# semodule -X 300 -i my-rhsmcertdworke.pp

Additional Information:
Source Context                system_u:system_r:rhsmcertd_t:s0
Target Context                system_u:object_r:var_log_t:s0
Target Objects                hawkey.log [ file ]
Source                        rhsmcertd-worke
Source Path                   rhsmcertd-worke
Port                          <Unknown>
Host                          zooty.moose.blogdns.org
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.3-54.el8_3.2.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-54.el8_3.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     zooty.moose.blogdns.org
Platform                      Linux zooty.moose.blogdns.org
                              4.18.0-240.15.1.el8_3.x86_64 #1 SMP Wed Feb 3
                              03:12:15 EST 2021 x86_64 x86_64
Alert Count                   1
First Seen                    2021-03-08 13:58:40 AEDT
Last Seen                     2021-03-08 13:58:40 AEDT
Local ID                      e6a46363-64c0-426c-b4a6-486862247428

Raw Audit Messages
type=AVC msg=audit(1615172320.37:110): avc:  denied  { create } for  pid=3095 comm="rhsmcertd-worke" name="hawkey.log" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1


Hash: rhsmcertd-worke,rhsmcertd_t,var_log_t,file,create

Comment 5 Jiri Hnidek 2021-03-16 13:44:08 UTC
Hi,
original bug report is duplicate of following bug report:

https://bugzilla.redhat.com/show_bug.cgi?id=1930920

It is duplicate of following bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1923985

This issue has been already solved. More details could be found in this PR:

https://github.com/fedora-selinux/selinux-policy/pull/598

Jiri

Comment 6 Jiri Hnidek 2021-03-16 14:23:00 UTC
Hi,
response to other comments:

If you use upstream version of selinux-policy, then the rhsmcertd should be able to access kpatch information without any SELinux alert:

https://github.com/zpytela/selinux-policy/commit/bc1b9f353d5019b17e16bddfca7488c47ec2534a
https://github.com/zpytela/selinux-policy/commit/fd34e7e04a8b35f4a969d91d3bf50e4ee4091b38

We don't see any reason, why rhsmcertd should open hawkey.log. We suspect that behavior reported in comment #4 is caused by unusual changes in the system. Such changes could have two reasons:

* Administrator of the system did some non-standard change with side-effects that was reported in this bug report.
* System was compromised and SELinux prevented attacker to do other changes in the system or continue with the attack

There is also no other bug report or customer cases with similar observations.


Thank you for taking the time to report this issue to us. We appreciate the feedback and use reports such as this one to guide our efforts at improving our products. That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution.

If this issue is critical or in any way time sensitive, please raise a ticket through the regular Red Hat support channels to ensure it receives the proper attention and prioritization to assure a timely resolution.


Jiri

*** This bug has been marked as a duplicate of bug 1930920 ***


Note You need to log in before you can comment on or make changes to this bug.