Bug 504649 - Monitoring, SElinux, restarting monitoring scout w/ enforcing=1, denials
Monitoring, SElinux, restarting monitoring scout w/ enforcing=1, denials
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Monitoring (Show other bugs)
530
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Suchý
wes hayutin
na
:
Depends On:
Blocks: 457079 463877 518975
  Show dependency treegraph
 
Reported: 2009-06-08 13:00 EDT by wes hayutin
Modified: 2009-09-10 14:49 EDT (History)
2 users (show)

See Also:
Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 518975 (view as bug list)
Environment:
Last Closed: 2009-09-10 14:49:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description wes hayutin 2009-06-08 13:00:20 EDT
Description of problem:

6/5
selinux in permissive
1. setup monitoring
2. setup serveral probes
3. push scout config
4. verify probes are working
5. turn selinux to enforcing..

restart MonitoringScout service

get

type=AVC msg=audit(1244480234.543:2676): avc:  denied  { getattr } for  pid=2347 comm="MonitoringScout" path="/var/lock/subsys/MonitoringScout" dev=dm-0 ino=1504714 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=root:object_r:var_lock_t:s0 tclass=file
type=AVC msg=audit(1244480245.015:2677): avc:  denied  { unlink } for  pid=2355 comm="npBootstrap.pl" name="SatCluster.ini" dev=dm-0 ino=8406822 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=root:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1244480245.023:2678): avc:  denied  { read write } for  pid=2355 comm="npBootstrap.pl" name="npBootstrap.db" dev=dm-0 ino=1578380 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=root:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1244480245.163:2680): avc:  denied  { getattr } for  pid=2347 comm="MonitoringScout" path="/var/lib/nocpulse/scheduler.xml" dev=dm-0 ino=1578385 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=root:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1244480247.223:2681): avc:  denied  { read } for  pid=2421 comm="gogo.pl" name="SputLite.pid" dev=dm-0 ino=1504683 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=root:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1244480247.247:2682): avc:  denied  { write } for  pid=2421 comm="gogo.pl" name="SputLite.pid" dev=dm-0 ino=1504683 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=root:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1244480247.247:2683): avc:  denied  { signal } for  pid=2424 comm="gogo.pl" scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=process
type=AVC msg=audit(1244480247.247:2684): avc:  denied  { getattr } for  pid=2424 comm="gogo.pl" path="/var/run/SputLite.pid" dev=dm-0 ino=1504683 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=root:object_r:var_run_t:s0 tclass=file
Comment 1 Miroslav Suchý 2009-06-09 11:17:58 EDT
This may be dupe of 494909.
Comment 2 Miroslav Suchý 2009-06-10 04:36:13 EDT
It is indeed dupe. And after propper restorecon on all files I did not get any selinux AVC messages after scout restart. However I do get AVC denial after Monitoring (backend) restart:

type=AVC msg=audit(1244630463.726:33): avc:  denied  { getattr } for  pid=5805 comm="notif-escalator" path="/var/tmp/escalator.state" dev=xvda1 ino=94292 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1244630463.726:33): arch=40000003 syscall=195 success=yes exit=0 a0=a0f7358 a1=9c590c8 a2=b7eff4 a3=a0f7358 items=0 ppid=5804 pid=5805 auid=0 uid=102 gid=104 euid=102 suid=102 fsuid=102 egid=104 sgid=104 fsgid=104 tty=pts0 ses=1 comm="notif-escalator" exe="/usr/bin/perl" subj=root:system_r:spacewalk_monitoring_t:s0 key=(null)
type=AVC msg=audit(1244630464.870:34): avc:  denied  { read } for  pid=5805 comm="notif-escalator" name="escalator.state" dev=xvda1 ino=94292 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1244630464.870:34): arch=40000003 syscall=5 success=yes exit=5 a0=a37d8d8 a1=8000 a2=0 a3=8000 items=0 ppid=5804 pid=5805 auid=0 uid=102 gid=104 euid=102 suid=102 fsuid=102 egid=104 sgid=104 fsgid=104 tty=pts0 ses=1 comm="notif-escalator" exe="/usr/bin/perl" subj=root:system_r:spacewalk_monitoring_t:s0 key=(null)
type=AVC msg=audit(1244630464.870:35): avc:  denied  { ioctl } for  pid=5805 comm="notif-escalator" path="/var/tmp/escalator.state" dev=xvda1 ino=94292 scontext=root:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1244630464.870:35): arch=40000003 syscall=54 success=no exit=-25 a0=5 a1=5401 a2=bf9376e8 a3=bf937728 items=0 ppid=5804 pid=5805 auid=0 uid=102 gid=104 euid=102 suid=102 fsuid=102 egid=104 sgid=104 fsgid=104 tty=pts0 ses=1 comm="notif-escalator" exe="/usr/bin/perl" subj=root:system_r:spacewalk_monitoring_t:s0 key=(null)
Comment 3 Miroslav Suchý 2009-06-10 05:00:17 EDT
Fixed in commit 3fa178e00aa2ddf2bc07de2c26ee5c8612d286eb
Comment 4 Miroslav Suchý 2009-06-12 08:58:50 EDT
compose 20090612
moving ON_QA
Comment 5 wes hayutin 2009-06-15 16:33:47 EDT
verified 6/12.1
Comment 6 Milan Zázrivec 2009-08-24 08:43:03 EDT
After MonitoringScout service restart:

# grep denied /var/log/audit/audit.log
type=AVC msg=audit(1251117383.525:27): avc:  denied  { unlink } for  pid=2124
comm="npBootstrap.pl" name="SatCluster.ini" dev=dm-0 ino=1366532
scontext=system_u:system_r:spacewalk_monitoring_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=file
Comment 7 Milan Zázrivec 2009-08-24 08:46:19 EDT
The last one remaining denial was cloned as bug #518975. Otherwise
RELEASE_PENDING.
Comment 8 Brandon Perkins 2009-09-10 14:49:51 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html

Note You need to log in before you can comment on or make changes to this bug.