Bug 501546 - Monitoring, selinux denial for snmp probe , "TSDBLocalQueue."
Monitoring, selinux denial for snmp probe , "TSDBLocalQueue."
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Monitoring (Show other bugs)
530
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan Pazdziora
wes hayutin
https://grandprix.rhndev.redhat.com/r...
:
Depends On:
Blocks: 457079 463877 505012
  Show dependency treegraph
 
Reported: 2009-05-19 13:22 EDT by wes hayutin
Modified: 2009-09-10 14:49 EDT (History)
3 users (show)

See Also:
Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 505012 (view as bug list)
Environment:
Last Closed: 2009-09-10 14:49:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description wes hayutin 2009-05-19 13:22:53 EDT
Description of problem:
sat530 5/7.1 build rhel 530



type=AVC msg=audit(1242749550.073:73831): avc:  denied  { read } for  pid=4171 comm="TSDBLocalQueue." name="current.1609" dev=dm-0 ino=1676585 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=root:object_r:var_log_t:s0 tclass=lnk_file

recreate:
1. setup monitoring 
2. setup client w/ monitoring
3. create snmp probe

w/ selinux on get the above denial

w/ selinux in permissive probe works fine..



Probe:  	General: Uptime SNMP
Monitoring Scout 	RHN Monitoring Satellite
Status: 	UNKNOWN, Cannot connect to SNMP agent on host 10.10.76.190 , port 161, version 2; verify the port is correct and the agent is running
Comment 1 wes hayutin 2009-05-19 13:25:31 EDT
also get

 pid=4171 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=pts1 ses=2138 comm="TSDBLocalQueue." exe="/usr/bin/perl" subj=root:system_r:spacewalk_monitoring_t:s0 key=(null)
Comment 2 Jan Pazdziora 2009-05-29 07:05:22 EDT
Upon fresh install of Satellite-5.3.0-RHEL5-re20090528.0, the types are

# ls -laZ /var/log/nocpulse/TSDBLocalQueue
drwxr-xr-x  apache   apache system_u:object_r:var_log_t      .
drwxrwxr-x  nocpulse apache system_u:object_r:spacewalk_monitoring_log_t ..
drwxr-xr-x  apache   apache system_u:object_r:var_log_t      archive
drwxr-xr-x  apache   apache system_u:object_r:var_log_t      failed
drwxr-xr-x  apache   apache system_u:object_r:var_log_t      queue

in spite of the fact that /var/log/nocpulse/TSDBLocalQueue is owned by tsdb

# rpm -qf /var/log/nocpulse/TSDBLocalQueue
tsdb-1.27.19-2.el5sat

and the type is properly defined:

# grep /var/log/nocpulse /etc/selinux/targeted/contexts/files/file_contexts*
/etc/selinux/targeted/contexts/files/file_contexts:/var/log/nocpulse(/.*)?	system_u:object_r:spacewalk_monitoring_log_t:s0

# restorecon -nrvv /var/log/nocpulse
restorecon reset /var/log/nocpulse/TSDBLocalQueue context system_u:object_r:var_log_t:s0->system_u:object_r:spacewalk_monitoring_log_t:s0
restorecon reset /var/log/nocpulse/TSDBLocalQueue/archive context system_u:object_r:var_log_t:s0->system_u:object_r:spacewalk_monitoring_log_t:s0
restorecon reset /var/log/nocpulse/TSDBLocalQueue/failed context system_u:object_r:var_log_t:s0->system_u:object_r:spacewalk_monitoring_log_t:s0
restorecon reset /var/log/nocpulse/TSDBLocalQueue/queue context system_u:object_r:var_log_t:s0->system_u:object_r:spacewalk_monitoring_log_t:s0

Why rpm did not set the context upon installation of the tsdb package is uncler to me.

The tsdb package was installed after spacewalk-monitoring-selinux was installed.

One possibility to tackle the problem is to require tsdb in spacewalk-monitoring-selinux, and thus relabel the directories in spacewalk-monitoring-selinux' %post.
Comment 3 Jan Pazdziora 2009-05-29 09:32:14 EDT
According to Jindřich N., it's not supposed to work when both packages are in the same transaction.

So we now require tsdb in spacewalk-monitoring-selinux, so that we can restorecon its directories.

Fix in Spacewalk repo, commit 2fa4874741b1448560eaf20175987ad8f4840a62.
Comment 4 Miroslav Suchý 2009-06-08 03:49:48 EDT
Fix is in spacewalk-monitoring-selinux-0.5.7-6-sat.
Moving ON_QA
Comment 5 wes hayutin 2009-06-08 13:23:12 EDT
verified 6/5

probe worked.. 

I did get the following though

type=AVC msg=audit(1244481688.823:2940): avc:  denied  { getattr } for  pid=11605 comm="gogo.pl" path="/var/lib/nocpulse/commands/heartbeat" dev=dm-0 ino=1578391 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=root:object_r:var_lib_t:s0 tclass=file
Comment 6 Miroslav Suchý 2009-06-10 03:33:48 EDT
Would you mind to file this new one as new bug?
Comment 7 Milan Zazrivec 2009-08-25 08:59:56 EDT
Verified in stage, SNMP probes work, no selinux denials -> RELEASE_PENDING
Comment 8 Brandon Perkins 2009-09-10 14:49:43 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html

Note You need to log in before you can comment on or make changes to this bug.