Bug 498936 - SELinux, network services ssh probe fails w/ selinux enforcing
SELinux, network services ssh probe fails w/ selinux enforcing
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Monitoring (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
wes hayutin
: 497912 (view as bug list)
Depends On:
Blocks: 457079
  Show dependency treegraph
Reported: 2009-05-04 10:30 EDT by wes hayutin
Modified: 2009-09-10 15:12 EDT (History)
3 users (show)

See Also:
Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-09-10 15:12:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
audit.log tar'd up (6.50 MB, application/octet-stream)
2009-05-05 09:01 EDT, wes hayutin
no flags Details

  None (edit)
Description wes hayutin 2009-05-04 10:30:17 EDT
Description of problem:

4/24.1 build rhel 5

1. setup configure monitoring
2. create a network services, ssh probe
3. push scount config

w/ selinux in enforcing you get
  	 Network Services: SSH   	 SSH port 22: connect: Permission denied 

I *think* this is the selinux error... not sure at all
type=SYSCALL msg=audit(1241447061.975:13511): arch=40000003 syscall=195 success=no exit=-13 a0=87d1f70 a1=bf964a10 a2=2f8ff4 a3=87d1f70 items=0 ppid=4407 pid=4418 auid=0 uid=103 gid=105 euid=103 suid=103 fsuid=103 egid=105 sgid=105 fsgid=105 tty=(none) ses=797 comm="sh" exe="/bin/bash" subj=user_u:system_r:spacewalk_monitoring_t:s0 key=(null)

change to permissive

now you get it working.

Probe(s) assigned to system have an OK status   	 Network Services: SSH   	 SSH port 22: Latency 0.0113 sec; Response SSH-2.0-OpenSSH_4.3
Comment 1 Miroslav Suchý 2009-05-04 10:57:06 EDT
Jan, can you please do it?
Comment 2 Jan Pazdziora 2009-05-05 08:20:45 EDT
Wes, the error is the line with type=AVC, not type=SYSCALL. Can you please attach the actual AVC denial line? Thanks, Jan.
Comment 3 wes hayutin 2009-05-05 09:01:46 EDT
Created attachment 342454 [details]
audit.log tar'd up
Comment 4 wes hayutin 2009-05-05 09:03:41 EDT
attaching all the audit logs I have for the box, because I am unable find the offending line.  It is clearly related to selinux, turning selinux on or off changes the probes status.
Comment 5 Jan Pazdziora 2009-05-12 11:03:07 EDT
The AVC message is

avc:  denied  { name_connect } for  pid=699 comm="kernel.pl" dest=22 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:ssh_port_t:s0 tclass=tcp_socket

which strangely enough I was not able to see in any of the logs.
Comment 6 Jan Pazdziora 2009-05-12 11:04:22 EDT
Fixed in Spacewalk repo, master a775624dd595299beb5023b7d70f0520e1fd5d61, spacewalk-monitoring-selinux-0.6.7-1, VADER 751f78df7878079e37661f7007056a460279c66b.
Comment 7 Jan Pazdziora 2009-05-18 04:36:35 EDT
*** Bug 497912 has been marked as a duplicate of this bug. ***
Comment 8 Jan Pazdziora 2009-05-21 08:14:17 EDT
With compose Satellite-5.3.0-RHEL5-re20090520.0 available, moving ON_QA.
Comment 9 wes hayutin 2009-06-02 08:41:44 EDT
[root@grandprix ~]# su - nocpulse
-bash-3.2$ rhn-runprobe 102
2009-06-02 08:39:27     No items changed
2009-06-02 08:39:27     Notification not required
2009-06-02 08:39:27     NOTE: Running in test mode; no changes saved, nothing enqueued
2009-06-02 08:39:27 
OK: SSH port 22: Latency 0.0885 sec; Response SSH-2.0-OpenSSH_4.3\n
-bash-3.2$ exit
[root@grandprix ~]# getenforce 
[root@grandprix ~]#
Comment 10 Milan Zázrivec 2009-09-02 08:56:46 EDT
Verified in stage -> RELEASE_PENDING
Comment 11 Brandon Perkins 2009-09-10 15:12:47 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.