Bug 567880 - rhnmd on client do not start because SELinux AVC denial
Summary: rhnmd on client do not start because SELinux AVC denial
Keywords:
Status: CLOSED DUPLICATE of bug 567879
Alias: None
Product: Spacewalk
Classification: Community
Component: Clients
Version: 0.8
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Milan Zázrivec
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks: space10
TreeView+ depends on / blocked
 
Reported: 2010-02-24 08:12 UTC by Jan Hutař
Modified: 2012-03-06 09:07 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-02-24 08:14:24 UTC
Embargoed:

Attachments (Terms of Use)

Description Jan Hutař 2010-02-24 08:12:30 UTC 
Description of problem:
When I try to start rhnmd on updated F12 with SELinux in enforcing mode, it fails because some AVCs.


Version-Release number of selected component (if applicable):
rhnmd-5.3.5-1.fc12.noarch
selinux-policy-3.6.32-89.fc12.noarch
selinux-policy-targeted-3.6.32-89.fc12.noarch


How reproducible:
always


Steps to Reproduce:
1. ensure you are in enforcing with `getenforce`
2. ensure /var/lib/nocpulse/.ssh/* have right context with
   `restorecon -vR /var/lib/nocpulse/.ssh/`
3. # service rhnmd start


Actual results:
# service rhnmd start
Starting rhnmd:Could not load host key: /var/lib/nocpulse/.ssh/nocpulse-identity
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.
                                                           [FAILED]


Expected results:
# service rhnmd start
Starting rhnmd:                                            [  OK  ]


Additional info:
type=USER_START msg=audit(1266998428.734:345): user pid=6495 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="nocpulse" exe="/sbin/runuser" hostname=? addr=? terminal=pts/4 res=success'
type=CRED_ACQ msg=audit(1266998428.734:346): user pid=6495 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="nocpulse" exe="/sbin/runuser" hostname=? addr=? terminal=pts/4 res=success'
type=AVC msg=audit(1266998428.780:347): avc:  denied  { read } for  pid=6520 comm="rhnmd" name="nocpulse-identity" dev=dm-2 ino=548105 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1266998428.780:347): avc:  denied  { open } for  pid=6520 comm="rhnmd" name="nocpulse-identity" dev=dm-2 ino=548105 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1266998428.780:347): arch=c000003e syscall=2 success=yes exit=128 a0=7fe8adb86cb0 a1=0 a2=0 a3=8 items=0 ppid=6496 pid=6520 auid=500 uid=488 gid=472 euid=488 suid=488 fsuid=488 egid=472 sgid=472 fsgid=472 tty=(none) ses=1 comm="rhnmd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1266998428.780:348): avc:  denied  { getattr } for  pid=6520 comm="rhnmd" path="/var/lib/nocpulse/.ssh/nocpulse-identity" dev=dm-2 ino=548105 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1266998428.780:348): arch=c000003e syscall=5 success=yes exit=128 a0=3 a1=7fffe237a410 a2=7fffe237a410 a3=7fffe237a1a0 items=0 ppid=6496 pid=6520 auid=500 uid=488 gid=472 euid=488 suid=488 fsuid=488 egid=472 sgid=472 fsgid=472 tty=(none) ses=1 comm="rhnmd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=CRED_DISP msg=audit(1266998428.782:349): user pid=6495 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="nocpulse" exe="/sbin/runuser" hostname=? addr=? terminal=pts/4 res=success'
type=USER_END msg=audit(1266998428.782:350): user pid=6495 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="nocpulse" exe="/sbin/runuser" hostname=? addr=? terminal=pts/4 res=success'
type=USER_ACCT msg=audit(1266998461.331:351): user pid=6558 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1266998461.338:352): user pid=6558 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1266998461.338:353): login pid=6558 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=37
type=USER_START msg=audit(1266998461.351:354): user pid=6558 uid=0 auid=0 ses=37 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1266998461.490:355): user pid=6558 uid=0 auid=0 ses=37 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1266998461.491:356): user pid=6558 uid=0 auid=0 ses=37 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Comment 1 Jan Hutař 2010-02-24 08:14:24 UTC 

*** This bug has been marked as a duplicate of bug 567879 ***
Note You need to log in before you can comment on or make changes to this bug.