Bug 498941 - SELinux, monitroing Network Services FTP probe does not work w/ selinux enforcing
Summary: SELinux, monitroing Network Services FTP probe does not work w/ selinux enfor...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Monitoring
Version: 530
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Jan Pazdziora
QA Contact: wes hayutin
URL: na
Whiteboard:
Depends On:
Blocks: 457079 463877
TreeView+ depends on / blocked
 
Reported: 2009-05-04 14:43 UTC by wes hayutin
Modified: 2009-09-10 18:49 UTC (History)
4 users (show)

Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-10 18:49:37 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description wes hayutin 2009-05-04 14:43:07 UTC
Description of problem:

4/24.1 build rhel 5

recreate:
1. setup configure monitoring
2. create a network services, ftp probe
3. push scount config

w/ selinux in permissive get:

Network Services: FTP   	 FTP port 21: Latency 0.0120 sec; Response 220 (vsFTPd 2.0.1)
331 Please specify the password.
530 Please login with USER and PASS.
230 Login successful.
221 Goodbye.

w/ selinux enforcing get:
  	 Network Services: FTP   	 FTP port 21: connect: Permission denied 

Most likely related and need the same policy change as bug:
https://bugzilla.redhat.com/show_bug.cgi?id=498936

for "sh" commands...


If it is the same, we need two bugs open to verify the probe.  I think one bug per probe is reasonable.

Comment 1 Miroslav Suchý 2009-05-04 14:57:37 UTC
Jan, can you please do it?

Comment 2 Jan Pazdziora 2009-05-26 09:38:32 UTC
The AVC denial is

type=AVC msg=audit(1243328831.582:1272): avc:  denied  { name_connect } for  pid=5491 comm="kernel.pl" dest=21 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:ftp_port_t:s0 tclass=tcp_socket

Comment 3 Jan Pazdziora 2009-05-26 09:48:36 UTC
Fixed in Spacewalk repo master 659dc089d998889c406e7ac9ce4e1ef24913d96d.

Comment 4 wes hayutin 2009-06-04 13:33:32 UTC
-bash-3.2$ rhn-runprobe --probe 164
2009-06-04 09:32:50 	Items changed or removed:
2009-06-04 09:32:50 		latency '0.02674' is OK
2009-06-04 09:32:50 		Response '220 (vsFTPd 2.0.1)
331 Please specify the password.
530 Please login with USER and PASS.
' is OK
2009-06-04 09:32:50 		connect: Connection refused '' is CRITICAL
2009-06-04 09:32:50 	Would notify because:
2009-06-04 09:32:50 		connect: Connection refused '' is OK
2009-06-04 09:32:50 	NOTE: Running in test mode; no changes saved, nothing enqueued
2009-06-04 09:32:50 
============================================================
OK: FTP port 21: Latency 0.0267 sec; Response 220 (vsFTPd 2.0.1)\r\n331 Please specify the password.\r\n530 Please login with USER and PASS.\r\n
============================================================
-bash-3.2$ 


verified

Comment 5 Milan Zázrivec 2009-09-02 12:57:10 UTC
Verified in stage -> RELEASE_PENDING

Comment 6 Brandon Perkins 2009-09-10 18:49:37 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html


Note You need to log in before you can comment on or make changes to this bug.