Bug 498941 - SELinux, monitroing Network Services FTP probe does not work w/ selinux enforcing
SELinux, monitroing Network Services FTP probe does not work w/ selinux enfor...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Monitoring (Show other bugs)
530
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
wes hayutin
na
:
Depends On:
Blocks: 457079 463877
  Show dependency treegraph
 
Reported: 2009-05-04 10:43 EDT by wes hayutin
Modified: 2009-09-10 14:49 EDT (History)
4 users (show)

See Also:
Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-10 14:49:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description wes hayutin 2009-05-04 10:43:07 EDT
Description of problem:

4/24.1 build rhel 5

recreate:
1. setup configure monitoring
2. create a network services, ftp probe
3. push scount config

w/ selinux in permissive get:

Network Services: FTP   	 FTP port 21: Latency 0.0120 sec; Response 220 (vsFTPd 2.0.1)
331 Please specify the password.
530 Please login with USER and PASS.
230 Login successful.
221 Goodbye.

w/ selinux enforcing get:
  	 Network Services: FTP   	 FTP port 21: connect: Permission denied 

Most likely related and need the same policy change as bug:
https://bugzilla.redhat.com/show_bug.cgi?id=498936

for "sh" commands...


If it is the same, we need two bugs open to verify the probe.  I think one bug per probe is reasonable.
Comment 1 Miroslav Suchý 2009-05-04 10:57:37 EDT
Jan, can you please do it?
Comment 2 Jan Pazdziora 2009-05-26 05:38:32 EDT
The AVC denial is

type=AVC msg=audit(1243328831.582:1272): avc:  denied  { name_connect } for  pid=5491 comm="kernel.pl" dest=21 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:ftp_port_t:s0 tclass=tcp_socket
Comment 3 Jan Pazdziora 2009-05-26 05:48:36 EDT
Fixed in Spacewalk repo master 659dc089d998889c406e7ac9ce4e1ef24913d96d.
Comment 4 wes hayutin 2009-06-04 09:33:32 EDT
-bash-3.2$ rhn-runprobe --probe 164
2009-06-04 09:32:50 	Items changed or removed:
2009-06-04 09:32:50 		latency '0.02674' is OK
2009-06-04 09:32:50 		Response '220 (vsFTPd 2.0.1)
331 Please specify the password.
530 Please login with USER and PASS.
' is OK
2009-06-04 09:32:50 		connect: Connection refused '' is CRITICAL
2009-06-04 09:32:50 	Would notify because:
2009-06-04 09:32:50 		connect: Connection refused '' is OK
2009-06-04 09:32:50 	NOTE: Running in test mode; no changes saved, nothing enqueued
2009-06-04 09:32:50 
============================================================
OK: FTP port 21: Latency 0.0267 sec; Response 220 (vsFTPd 2.0.1)\r\n331 Please specify the password.\r\n530 Please login with USER and PASS.\r\n
============================================================
-bash-3.2$ 


verified
Comment 5 Milan Zázrivec 2009-09-02 08:57:10 EDT
Verified in stage -> RELEASE_PENDING
Comment 6 Brandon Perkins 2009-09-10 14:49:37 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html

Note You need to log in before you can comment on or make changes to this bug.