Bug 498936 - SELinux, network services ssh probe fails w/ selinux enforcing
SELinux, network services ssh probe fails w/ selinux enforcing
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Monitoring (Show other bugs)
530
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
wes hayutin
na
:
: 497912 (view as bug list)
Depends On:
Blocks: 457079
  Show dependency treegraph
 
Reported: 2009-05-04 10:30 EDT by wes hayutin
Modified: 2009-09-10 15:12 EDT (History)
3 users (show)

See Also:
Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-10 15:12:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit.log tar'd up (6.50 MB, application/octet-stream)
2009-05-05 09:01 EDT, wes hayutin
no flags Details

  None (edit)
Description wes hayutin 2009-05-04 10:30:17 EDT
Description of problem:

4/24.1 build rhel 5

recreate:
1. setup configure monitoring
2. create a network services, ssh probe
3. push scount config

w/ selinux in enforcing you get
  	 Network Services: SSH   	 SSH port 22: connect: Permission denied 

I *think* this is the selinux error... not sure at all
type=SYSCALL msg=audit(1241447061.975:13511): arch=40000003 syscall=195 success=no exit=-13 a0=87d1f70 a1=bf964a10 a2=2f8ff4 a3=87d1f70 items=0 ppid=4407 pid=4418 auid=0 uid=103 gid=105 euid=103 suid=103 fsuid=103 egid=105 sgid=105 fsgid=105 tty=(none) ses=797 comm="sh" exe="/bin/bash" subj=user_u:system_r:spacewalk_monitoring_t:s0 key=(null)


change to permissive

now you get it working.

Probe(s) assigned to system have an OK status   	 Network Services: SSH   	 SSH port 22: Latency 0.0113 sec; Response SSH-2.0-OpenSSH_4.3
Comment 1 Miroslav Suchý 2009-05-04 10:57:06 EDT
Jan, can you please do it?
Comment 2 Jan Pazdziora 2009-05-05 08:20:45 EDT
Wes, the error is the line with type=AVC, not type=SYSCALL. Can you please attach the actual AVC denial line? Thanks, Jan.
Comment 3 wes hayutin 2009-05-05 09:01:46 EDT
Created attachment 342454 [details]
audit.log tar'd up
Comment 4 wes hayutin 2009-05-05 09:03:41 EDT
attaching all the audit logs I have for the box, because I am unable find the offending line.  It is clearly related to selinux, turning selinux on or off changes the probes status.
Comment 5 Jan Pazdziora 2009-05-12 11:03:07 EDT
The AVC message is

avc:  denied  { name_connect } for  pid=699 comm="kernel.pl" dest=22 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:ssh_port_t:s0 tclass=tcp_socket

which strangely enough I was not able to see in any of the logs.
Comment 6 Jan Pazdziora 2009-05-12 11:04:22 EDT
Fixed in Spacewalk repo, master a775624dd595299beb5023b7d70f0520e1fd5d61, spacewalk-monitoring-selinux-0.6.7-1, VADER 751f78df7878079e37661f7007056a460279c66b.
Comment 7 Jan Pazdziora 2009-05-18 04:36:35 EDT
*** Bug 497912 has been marked as a duplicate of this bug. ***
Comment 8 Jan Pazdziora 2009-05-21 08:14:17 EDT
With compose Satellite-5.3.0-RHEL5-re20090520.0 available, moving ON_QA.
Comment 9 wes hayutin 2009-06-02 08:41:44 EDT
[root@grandprix ~]# su - nocpulse
-bash-3.2$ rhn-runprobe 102
2009-06-02 08:39:27     No items changed
2009-06-02 08:39:27     Notification not required
2009-06-02 08:39:27     NOTE: Running in test mode; no changes saved, nothing enqueued
2009-06-02 08:39:27 
============================================================
OK: SSH port 22: Latency 0.0885 sec; Response SSH-2.0-OpenSSH_4.3\n
============================================================
-bash-3.2$ exit
logout
[root@grandprix ~]# getenforce 
Enforcing
[root@grandprix ~]#
Comment 10 Milan Zázrivec 2009-09-02 08:56:46 EDT
Verified in stage -> RELEASE_PENDING
Comment 11 Brandon Perkins 2009-09-10 15:12:47 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html

Note You need to log in before you can comment on or make changes to this bug.