Bug 486739 - satellite install, selinux denials MonitoringScout
satellite install, selinux denials MonitoringScout
Status: CLOSED NOTABUG
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Installer (Show other bugs)
530
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
wes hayutin
na
:
Depends On:
Blocks: 457079
  Show dependency treegraph
 
Reported: 2009-02-21 11:27 EST by wes hayutin
Modified: 2009-03-16 10:01 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-16 10:01:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description wes hayutin 2009-02-21 11:27:32 EST
Description of problem:
satellite install, selinux denials Monitoring Scout
Satellite-5.3.0-RHEL5-re20090220.1-i386-embedded-oracle.iso

clear audit log
install latest satellite iso
check audit log


type=AVC msg=audit(1235187498.928:388): avc:  denied  { read write } for  pid=9401 comm="MonitoringScout" path="socket:[7018]" dev=sockfs ino=7018 scontext=root:system_r:sp
acewalk_monitoring_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=AVC msg=audit(1235187498.928:388): avc:  denied  { read write } for  pid=9401 comm="MonitoringScout" path="socket:[7018]" dev=sockfs ino=7018 scontext=root:system_r:sp
acewalk_monitoring_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=AVC msg=audit(1235187498.928:388): avc:  denied  { read write } for  pid=9401 comm="MonitoringScout" path="socket:[7020]" dev=sockfs ino=7020 scontext=root:system_r:sp
acewalk_monitoring_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Comment 1 Jan Pazdziora 2009-02-24 06:14:34 EST
What did you do after that installation? After the installer said

* Deploying configuration files.
* Update configuration in database.
* Setting up Cobbler..
* Restarting services.
Installation complete.
Visit https://your-satellite.redhat.com to create the RHN Satellite
administrator account.

what other steps did you make? Did you go to the WebUI and activate monitoring? Or is this without even activating monitoring?
Comment 2 Jan Pazdziora 2009-02-24 06:30:36 EST
Generally, these look like leaked descriptors from whatever automation tool you are using.

Please provide info about how exactly you run those installations.
Comment 3 wes hayutin 2009-02-24 08:51:11 EST
Then sat install ran, then I get the audit log...
nothing.. else was done
Comment 4 Jan Pazdziora 2009-02-25 03:04:56 EST
Wes confirmed that the installation was run under screen and that re-running the installation without screen does not generate the AVC denials. So currently it looks like leaked file descriptor in screen.
Comment 5 wes hayutin 2009-02-25 13:59:08 EST
running w/ the correct version of screen did NOT produce this error..
I think we can close this.
Comment 6 wes hayutin 2009-02-25 15:48:56 EST
recreated this error on a x86_64 install w/o screen
type=AVC msg=audit(1235593563.492:118): avc:  denied  { sigchld } for  pid=9971 comm="MonitoringScout" scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=root:system_r:initrc_t:s0 tcla
ss=process


[root@test02-64 ~]# ps -ef | grep 9971
root     26849 20185  0 15:48 pts/1    00:00:00 grep 9971
Comment 7 Jan Pazdziora 2009-02-26 03:50:34 EST
Wes, the original report was not about sigchld, if was about read/write on unix_stream_socket. It's not the same issue. We will need new, full bugzilla, describing exactly what you did when you got this sigchld denial -- was it during installation, when services were first restarted, when you activated monitoring, etc.
Comment 8 Jan Pazdziora 2009-03-16 09:59:37 EDT
The same problem as bug 486742: screen possibly leaking descriptors was leading to AVC denials. Closing as NOTABUG as it's not strictly speaking a duplicate -- the cause was the same but the symptoms showed in different programs.

Note You need to log in before you can comment on or make changes to this bug.