Bug 486741 - satellite install, selinux denials jabberd
satellite install, selinux denials jabberd
Status: CLOSED NOTABUG
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Installer (Show other bugs)
530
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
wes hayutin
na
:
Depends On:
Blocks: 457079
  Show dependency treegraph
 
Reported: 2009-02-21 11:33 EST by wes hayutin
Modified: 2009-03-16 10:01 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-16 10:01:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description wes hayutin 2009-02-21 11:33:05 EST
Description of problem:
satellite install, selinux denials jabberd


Satellite-5.3.0-RHEL5-re20090220.1-i386-embedded-oracle.iso

clear audit log
install latest satellite iso
check audit log


type=AVC msg=audit(1235187502.552:396): avc:  denied  { read write } for  pid=9593 comm="jabberd" path="socket:[7018]" dev=sockfs ino=7018 scontext=root:system_r:jabberd_t:
s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=AVC msg=audit(1235187502.552:396): avc:  denied  { read write } for  pid=9593 comm="jabberd" path="socket:[7018]" dev=sockfs ino=7018 scontext=root:system_r:jabberd_t:
s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=AVC msg=audit(1235187502.552:396): avc:  denied  { read write } for  pid=9593 comm="jabberd" path="socket:[7020]" dev=sockfs ino=7020 scontext=root:system_r:jabberd_t:
s0 tcontext=system_u:system_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
Comment 1 Jan Pazdziora 2009-02-24 06:12:03 EST
What did you do after that installation? After the installer said

* Deploying configuration files.
* Update configuration in database.
* Setting up Cobbler..
* Restarting services.
Installation complete.
Visit https://your-satellite.redhat.com to create the RHN Satellite administrator account.

what other steps did you make?
Comment 2 Jan Pazdziora 2009-02-24 06:30:38 EST
Generally, these look like leaked descriptors from whatever automation tool you are using.

Please provide info about how exactly you run those installations.
Comment 3 wes hayutin 2009-02-24 08:32:40 EST
commands executed after the install...

authconfig --usemd5 --enablemd5 --useshadow --enableshadow --enablenis \
           --nisdomain=redhat.com --nisserver=l2.corp.redhat.com --enablekrb5 \
           --krb5kdc=kerberos.corp.redhat.com:88 \
           --krb5adminserver=kerberos.corp.redhat.com:749 \
           --krb5realm=REDHAT.COM --disablekrb5kdcdns --disablekrb5realmdns \
           --disablesmbauth --kickstart


# Add PAM Auth support"
echo "#%PAM-1.0" > /etc/pam.d/rhn-satellite
echo "auth        required      pam_env.so" >> /etc/pam.d/rhn-satellite
echo "auth        sufficient    pam_krb5.so no_user_check" >> /etc/pam.d/rhn-sat
ellite
echo "auth        required      pam_deny.so" >> /etc/pam.d/rhn-satellite
echo "account     required      pam_krb5.so no_user_check" >> /etc/pam.d/rhn-sat
ellite

echo "pam_auth_service = rhn-satellite" >> /etc/rhn/rhn.conf


and then mount an nfs export w/ channel exports
Comment 4 Jan Pazdziora 2009-02-24 08:44:55 EST
So at which point did the AVC's appear? Before you run that authconfig or after? If after, was it during restarting the Satellite ('cause I assume after modifying /etc/rhn/rhn.conf, you had to restart the thing as well ...)?
Comment 5 wes hayutin 2009-02-24 08:59:38 EST
actually, looking at my script.. all the denials I reported are just from the install... 

I run the installer... several different ways.
The following is one of them.. which should be supported..
 yes | $TMP_MOUNT_DIR/install.pl --answer-file=$DIR/answers.txt   --skip-ssl-cert-generation --disconnected | tee -a install.log

         cp /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /var/www/html/pub/
         echo "copy /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /var/www/html/pub/"
         rpm -ivh /root/ssl-build/*.rhndev/*noarch.rpm
         echo "rpm -ivh /root/ssl-build/*/*noarch.rpm"
         rpm -qa | grep rhn-org-httpd-ssl-key-pair-
         sed -i -e  's/server.satellite.rhn_parent =/server.satellite.rhn_parent = satellite.rhn.webqa.redhat.com/
' /etc/rhn/rhn.conf
         $SATELLITE_STOP
         $SATELLITE_START
         rhn-satellite-activate --rhn-cert=/$DIR/cert.cert


if [ $? -ne 0 ]; then
        echo " THE INSTALL DID NOT COMPLETE SUCCESSFULLY"
        rm -Rf $DIR/isofile
        exit
fi

checkSELinuxAuditLog  (this checks the audit log for denials)
Comment 6 Jan Pazdziora 2009-02-25 03:04:58 EST
Wes confirmed that the installation was run under screen and that re-running the installation without screen does not generate the AVC denials. So currently it looks like leaked file descriptor in screen.
Comment 7 wes hayutin 2009-02-25 13:58:45 EST
running w/ the correct version of screen did NOT produce this error..
I think we can close this.
Comment 8 Jan Pazdziora 2009-03-16 09:59:39 EDT
The same problem as bug 486742: screen possibly leaking descriptors was leading to AVC denials. Closing as NOTABUG as it's not strictly speaking a duplicate -- the cause was the same but the symptoms showed in different programs.

Note You need to log in before you can comment on or make changes to this bug.