Description of problem: first bug opened on a similar but not related issue.. 433884 4/24.1 build recreate. 1. change selinux to Permissive on *ALL* systems 2. register a rhel4 and rhel 5 client to satellite 3. enable monitoring 4. test a sample probe to make sure monitoring works.. (in my test I had Linux:Load, Ping, Linux:Virtual Memory working) 5. on the satellite server install mysql package 5. on each client install mysql and mysql server 6. create a db and user mysql> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES ON TEST.* TO 'westest'@'%' IDENTIFIED BY 'dog8code'; 7. go to satellite server test the connection of mysql to the clients.. riverraid= satellite server [root@riverraid ~]# mysql -h dhcp77-132.rhndev.redhat.com -u westest -p test Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 26 Server version: 5.0.45 Source distribution Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> 8. create a mysql:Database accessibility probe using the same parameters used in step 7 9. push the scout config. eventually you get an error: Client connectivity test failed when trying to connect to database test
Created attachment 341602 [details] spacewalk-debug
Created attachment 341603 [details] sosreport from sat server
Created attachment 341605 [details] sosreport from client
I'm an idiot, selinux was on.. and I found errors
selinux for monitoring and mysql here.. type=MAC_STATUS msg=audit(1240937469.177:1342): enforcing=0 old_enforcing=1 auid=0 ses=148 type=SYSCALL msg=audit(1240937469.177:1342): arch=40000003 syscall=4 success=yes exit=1 a0=3 a1=bf94ab04 a2=1 a3=bf94ab04 items=0 ppid=4804 pid=15274 auid=0 uid=0 gid=0 eui d=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=148 comm="setenforce" exe="/usr/sbin/setenforce" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1240937500.386:1343): avc: denied { getattr } for pid=15473 comm="mysql" path="/etc/my.cnf" dev=dm-0 ino=1345384 scontext=system_u:system_r:spacewalk_ monitoring_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file type=SYSCALL msg=audit(1240937500.386:1343): arch=40000003 syscall=195 success=yes exit=0 a0=bf8845ae a1=bf88154c a2=53aff4 a3=bf88154c items=0 ppid=15459 pid=15473 auid=42 94967295 uid=103 gid=105 euid=103 suid=103 fsuid=103 egid=105 sgid=105 fsgid=105 tty=(none) ses=4294967295 comm="mysql" exe="/usr/bin/mysql" subj=system_u:system_r:spacewal k_monitoring_t:s0 key=(null) type=AVC msg=audit(1240937500.386:1344): avc: denied { read } for pid=15473 comm="mysql" name="my.cnf" dev=dm-0 ino=1345384 scontext=system_u:system_r:spacewalk_monitori ng_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file type=SYSCALL msg=audit(1240937500.386:1344): arch=40000003 syscall=5 success=yes exit=3 a0=bf8845ae a1=8000 a2=1b6 a3=9808520 items=0 ppid=15459 pid=15473 auid=4294967295 u id=103 gid=105 euid=103 suid=103 fsuid=103 egid=105 sgid=105 fsgid=105 tty=(none) ses=4294967295 comm="mysql" exe="/usr/bin/mysql" subj=system_u:system_r:spacewalk_monitori ng_t:s0 key=(null) type=AVC msg=audit(1240937500.418:1345): avc: denied { getattr } for pid=15473 comm="mysql" path="/usr/share/mysql/charsets/Index.xml" dev=dm-0 ino=2000682 scontext=syst em_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1240937500.418:1345): arch=40000003 syscall=195 success=yes exit=0 a0=bf8839be a1=bf88392c a2=53aff4 a3=bf88392c items=0 ppid=15459 pid=15473 auid=42 94967295 uid=103 gid=105 euid=103 suid=103 fsuid=103 egid=105 sgid=105 fsgid=105 tty=(none) ses=4294967295 comm="mysql" exe="/usr/bin/mysql" subj=system_u:system_r:spacewal k_monitoring_t:s0 key=(null) type=AVC msg=audit(1240937500.418:1346): avc: denied { read } for pid=15473 comm="mysql" name="Index.xml" dev=dm-0 ino=2000682 scontext=system_u:system_r:spacewalk_monit oring_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1240937500.418:1346): arch=40000003 syscall=5 success=yes exit=4 a0=bf8839be a1=8000 a2=0 a3=8000 items=0 ppid=15459 pid=15473 auid=4294967295 uid=10 3 gid=105 euid=103 suid=103 fsuid=103 egid=105 sgid=105 fsgid=105 tty=(none) ses=4294967295 comm="mysql" exe="/usr/bin/mysql" subj=system_u:system_r:spacewalk_monitoring_t: s0 key=(null)
the probe works just fine w/ selinux in permissive
the above selinux errors are on the rhn-satellite server riverraid.
Jan can you do this one, please?
Note to self: The AVCs are type=AVC msg=audit(1240937500.386:1343): avc: denied { getattr } for pid=15473 comm="mysql" path="/etc/my.cnf" dev=dm-0 ino=1345384 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file type=AVC msg=audit(1240937500.386:1344): avc: denied { read } for pid=15473 comm="mysql" name="my.cnf" dev=dm-0 ino=1345384 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:mysqld_etc_t:s0 tclass=file type=AVC msg=audit(1240937500.418:1345): avc: denied { getattr } for pid=15473 comm="mysql" path="/usr/share/mysql/charsets/Index.xml" dev=dm-0 ino=2000682 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file type=AVC msg=audit(1240937500.418:1346): avc: denied { read } for pid=15473 comm="mysql" name="Index.xml" dev=dm-0 ino=2000682 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file The /usr/bin/mysql is bin_t, nothing special: # ls -laZ /usr/bin/mysql -rwxr-xr-x root root system_u:object_r:bin_t /usr/bin/mysql
Fix in Spacewalk master f00ef6f06308869c2125ed4a848c51fc061ca1ca and VADER b3db1b234a682f5a43df9ee3c016489a23698541. Tagged as spacewalk-monitoring-selinux-0.6.6-1 (master).
With compose Satellite-5.3.0-RHEL5-re20090520.0 available, moving ON_QA.
verified.. [root@grandprix ~]# setenforce 1 [root@grandprix ~]# su - nocpulse -bash-3.2$ rhn-runprobe --debug 2 --probe 93 2009-06-02 08:55:09 No items changed 2009-06-02 08:55:09 Notification not required 2009-06-02 08:55:09 NOTE: Running in test mode; no changes saved, nothing enqueued 2009-06-02 08:55:09 ============================================================ OK: Client connectivity for user sattest to database test successful
5.3.0 final iso: $ rhn-runprobe --live 21 2009-09-09 11:52:34 No items changed 2009-09-09 11:52:34 Notification not required 2009-09-09 11:52:34 ============================================================ OK: Client connectivity for user testuser to database mysql successful ============================================================ No selinux denials, RELEASE_PENDING.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1434.html