Bug 486740 - satellite install, selinux denials Monitoring
satellite install, selinux denials Monitoring
Status: CLOSED NOTABUG
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Installer (Show other bugs)
530
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
wes hayutin
na
:
Depends On:
Blocks: 457079
  Show dependency treegraph
 
Reported: 2009-02-21 11:29 EST by wes hayutin
Modified: 2009-03-16 10:01 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-16 10:01:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description wes hayutin 2009-02-21 11:29:41 EST
Description of problem:
satellite install, selinux denials Monitoring

Satellite-5.3.0-RHEL5-re20090220.1-i386-embedded-oracle.iso

clear audit log
install latest satellite iso
check audit log

type=AVC msg=audit(1235187499.116:389): avc:  denied  { read write } for  pid=9410 comm="Monitoring" path="socket:[7018]" dev=sockfs ino=7018 scontext=root:system_r:spacewa
lk_monitoring_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=AVC msg=audit(1235187499.116:389): avc:  denied  { read write } for  pid=9410 comm="Monitoring" path="socket:[7018]" dev=sockfs ino=7018 scontext=root:system_r:spacewa
lk_monitoring_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=AVC msg=audit(1235187499.116:389): avc:  denied  { read write } for  pid=9410 comm="Monitoring" path="socket:[7020]" dev=sockfs ino=7020 scontext=root:system_r:spacewa
lk_monitoring_t:s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Comment 1 Jan Pazdziora 2009-02-24 06:14:35 EST
What did you do after that installation? After the installer said

* Deploying configuration files.
* Update configuration in database.
* Setting up Cobbler..
* Restarting services.
Installation complete.
Visit https://your-satellite.redhat.com to create the RHN Satellite
administrator account.

what other steps did you make? Did you go to the WebUI and activate monitoring? Or is this without even activating monitoring?
Comment 2 Jan Pazdziora 2009-02-24 06:30:37 EST
Generally, these look like leaked descriptors from whatever automation tool you are using.

Please provide info about how exactly you run those installations.
Comment 3 wes hayutin 2009-02-24 08:53:42 EST
the automation tool is a bash script..
$SVNDIR/qa/automation/sat-install-script/install-sat.sh
Comment 4 Jan Pazdziora 2009-02-25 03:04:57 EST
Wes confirmed that the installation was run under screen and that re-running the installation without screen does not generate the AVC denials. So currently it looks like leaked file descriptor in screen.
Comment 5 wes hayutin 2009-02-25 13:58:55 EST
running w/ the correct version of screen did NOT produce this error..
I think we can close this.
Comment 6 wes hayutin 2009-02-25 15:49:50 EST
recreated on a x86_64 install w/o screen
type=AVC msg=audit(1235593563.566:119): avc:  denied  { sigchld } for  pid=9980 comm="Monitoring" scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=pr
ocess

[root@test02-64 ~]# ps -ef | grep 9980
root     27944 20185  0 15:49 pts/1    00:00:00 grep 9980
[root@test02-64 ~]#
Comment 7 Jan Pazdziora 2009-02-26 03:50:35 EST
Wes, the original report was not about sigchld, if was about read/write on unix_stream_socket. It's not the same issue. We will need new, full bugzilla, describing exactly what you did when you got this sigchld denial -- was it during installation, when services were first restarted, when you activated monitoring, etc.
Comment 8 Jan Pazdziora 2009-03-16 09:59:38 EDT
The same problem as bug 486742: screen possibly leaking descriptors was leading to AVC denials. Closing as NOTABUG as it's not strictly speaking a duplicate -- the cause was the same but the symptoms showed in different programs.

Note You need to log in before you can comment on or make changes to this bug.