Bug 498930 - SELinux, monitoring Network Services, RPC probe selinux error
SELinux, monitoring Network Services, RPC probe selinux error
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server (Show other bugs)
530
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
wes hayutin
na
:
Depends On:
Blocks: 457079 463877
  Show dependency treegraph
 
Reported: 2009-05-04 10:14 EDT by wes hayutin
Modified: 2009-09-10 14:49 EDT (History)
4 users (show)

See Also:
Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-10 14:49:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description wes hayutin 2009-05-04 10:14:06 EDT
Description of problem:

4/24.1 build rhel 5

getting selinux errors while running network services rpc probe

type=AVC msg=audit(1241445896.523:13465): avc:  denied  { execute } for  pid=31382 comm="sh" name="rpcinfo" dev=dm-0 ino=3931776 scontext=user_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=AVC msg=audit(1241445896.523:13465): avc:  denied  { execute_no_trans } for  pid=31382 comm="sh" path="/usr/sbin/rpcinfo" dev=dm-0 ino=3931776 scontext=user_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=AVC msg=audit(1241445896.523:13465): avc:  denied  { read } for  pid=31382 comm="sh" path="/usr/sbin/rpcinfo" dev=dm-0 ino=3931776 scontext=user_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=SYSCALL msg=audit(1241445896.523:13465): arch=40000003 syscall=11 success=yes exit=0 a0=829af70 a1=829ad90 a2=829b028 a3=0 items=0 ppid=31377 pid=31382 auid=0 uid=103 gid=105 euid=103 suid=103 fsuid=103 egid=105 sgid=105 fsgid=105 tty=(none) ses=797 comm="rpcinfo" exe="/usr/sbin/rpcinfo" subj=user_u:system_r:spacewalk_monitoring_t:s0 key=(null)


recreate:
1. setup monitoring and probes
2. create network services probe, using nfs
3. setup client w/ nfs
4. push scout config..
5. get selinux errors
Comment 1 wes hayutin 2009-05-04 10:17:53 EDT
causes
Network Services: RPC Service   	 Unable to establish rpc connection to service nfs on host 10.10.76.146
Comment 2 Jan Pazdziora 2009-05-25 10:10:00 EDT
There are two more AVC denials here:

type=AVC msg=audit(1241440704.859:750): avc:  denied  { name_bind } for  pid=5700 comm="rpcinfo" src=788 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket
type=AVC msg=audit(1241440704.859:750): avc:  denied  { node_bind } for  pid=5700 comm="rpcinfo" src=788 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:inaddr_any_node_t:s0 tclass=udp_socket
Comment 3 Jan Pazdziora 2009-05-26 04:13:23 EDT
Fix in Spacewalk repo master 785e6f144521a893a756f11b95282577763ba227 and cf44bdce656294f4181424b6843366258eda428a.
Comment 4 wes hayutin 2009-06-04 09:30:10 EDT
verified
-bash-3.2$ rhn-runprobe --probe 173
2009-06-04 09:29:36 	Items changed or removed:
2009-06-04 09:29:36 		latency '0.266723' is OK
2009-06-04 09:29:36 		Unable to establish rpc connection to service nfs on host 10.10.77.159     '' is CRITICAL
2009-06-04 09:29:36 	Would notify because:
2009-06-04 09:29:36 		Unable to establish rpc connection to service nfs on host 10.10.77.159     '' is OK
2009-06-04 09:29:36 	NOTE: Running in test mode; no changes saved, nothing enqueued
2009-06-04 09:29:36 
============================================================
OK: RPC service nfs: Latency 0.267 sec
============================================================
Comment 5 Milan Zázrivec 2009-09-02 08:56:27 EDT
Verified in stage -> RELEASE_PENDING
Comment 6 Brandon Perkins 2009-09-10 14:49:35 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html

Note You need to log in before you can comment on or make changes to this bug.