Description of problem: If SELinux is enforced, rhnmd will start but not function. If SELinux is in permissive mode rhnmd works just fine. I'll deliver all extract I find useful below. If you need full log files I can attach them later. /var/log/audit/audit.log: type=AVC msg=audit(1274431807.396:22019): avc: denied { open } for pid=2000 comm="rhnmd" name="nocpulse-identity" dev=dm-0 ino=6818370 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1274431807.396:22020): avc: denied { getattr } for pid=2000 comm="rhnmd" path="/var/lib/nocpulse/.ssh/nocpulse-identity" dev=dm-0 ino=6818370 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1274431807.500:22022): avc: denied { getattr } for pid=2000 comm="rhnmd" path="/var/lib/nocpulse/.ssh/authorized_keys" dev=dm-0 ino=6815832 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file /var/log/messages: May 21 10:54:11 (none) setroubleshoot: SELinux is preventing /usr/sbin/sshd "read" access on /var/lib/nocpulse/.ssh/nocpulse-identity. For complete SELinux messages. run sealert -l d283fe86-2b8a-4a41-a587-1bdc7cde2304 May 21 11:00:19 (none) setroubleshoot: SELinux is preventing /usr/sbin/sshd "read" access on /var/lib/nocpulse/.ssh/authorized_keys. For complete SELinux messages. run sealert -l 267ce29a-1825-46c7-822f-bc210b3ffdfe Version-Release number of selected component (if applicable): openssh-server-5.4p1-1.fc13 selinux-policy-3.7.19-15.fc13 rhnmd-5.3.6-1.fc12 (from F12 1.0-client, i.e. not nightly) How reproducible: Always Steps to Reproduce: 1. Install F13 with F12 1.0-client tools 2. Setup rhnmd 3. Start rhnmd Actual results: rhnmd is started but useless without host keys and authorized_keys Expected results: rhnmd is started and accessible by MonitoringScout Additional info: sealert -l d283fe86-2b8a-4a41-a587-1bdc7cde2304: SELinux is preventing /usr/sbin/sshd "read" access on /var/lib/nocpulse/.ssh/nocpulse-identity. Source Context unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib/nocpulse/.ssh/nocpulse-identity [ file ] Source rhnmd Source Path /usr/sbin/sshd --- sealert -l 267ce29a-1825-46c7-822f-bc210b3ffdfe: SELinux is preventing /usr/sbin/sshd "read" access on /var/lib/nocpulse/.ssh/authorized_keys. Source Context unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:var_lib_t:s0 Target Objects /var/lib/nocpulse/.ssh/authorized_keys [ file ] Source rhnmd Source Path /usr/sbin/sshd --- # ls -Z /var/lib/nocpulse/.ssh/ -rw-------. nocpulse nocpulse unconfined_u:object_r:var_lib_t:s0 authorized_keys -rw-------. nocpulse nocpulse system_u:object_r:var_lib_t:s0 nocpulse-identity -rw-r--r--. nocpulse nocpulse unconfined_u:object_r:var_lib_t:s0 nocpulse-identity.pub # restorecon /var/lib/nocpulse/.ssh/* # ls -Z /var/lib/nocpulse/.ssh/ -rw-------. nocpulse nocpulse unconfined_u:object_r:var_lib_t:s0 authorized_keys -rw-------. nocpulse nocpulse system_u:object_r:var_lib_t:s0 nocpulse-identity -rw-r--r--. nocpulse nocpulse unconfined_u:object_r:var_lib_t:s0 nocpulse-identity.pub
Just confirming that I can still reproduce this with F13 and 1.1-client tools
Mass-moving to space13.
We did not have time for this one during Spacewalk 1.4 time frame. Mass moving to Spacewalk 1.5.
Aligning under space16.
Bug 677680 also reports that type=AVC msg=audit(1302409997.445:52858): avc: denied { name_bind } for pid=14302 comm="rhnmd" src=4545 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket is observed.
*** Bug 677680 has been marked as a duplicate of this bug. ***
On Fedora 15, I did see type=AVC msg=audit(1317995087.159:95): avc: denied { read } for pid=1194 comm="rhnmd" name="nocpulse-identity" dev=dm-1 ino=195 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1317995087.159:95): avc: denied { open } for pid=1194 comm="rhnmd" name="nocpulse-identity" dev=dm-1 ino=195 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1317995087.161:96): avc: denied { getattr } for pid=1194 comm="rhnmd" path="/var/lib/nocpulse/.ssh/nocpulse-identity" dev=dm-1 ino=195 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file upon startup, and then type=AVC msg=audit(1317998553.493:141): avc: denied { read } for pid=1505 comm="rhnmd" name="authorized_keys" dev=dm-1 ino=183 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1317998553.493:141): avc: denied { open } for pid=1505 comm="rhnmd" name="authorized_keys" dev=dm-1 ino=183 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=AVC msg=audit(1317998553.495:142): avc: denied { getattr } for pid=1505 comm="rhnmd" path="/var/lib/nocpulse/.ssh/authorized_keys" dev=dm-1 ino=183 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file when the scout connected. I did address it on my box with /usr/sbin/semanage fcontext -a -t sshd_key_t '/var/lib/nocpulse/\.ssh/nocpulse-identity' /usr/sbin/semanage fcontext -a -t ssh_home_t '/var/lib/nocpulse/\.ssh/authorized_keys' restorecon -rvv /var/lib/nocpulse I wonder if this is what we want to do in (say) %post script of the rhnmd package? I did not see the name_bind AVC denial noted in bug 677680.
(In reply to comment #8) > I did address it on my box with > > /usr/sbin/semanage fcontext -a -t sshd_key_t > '/var/lib/nocpulse/\.ssh/nocpulse-identity' > /usr/sbin/semanage fcontext -a -t ssh_home_t > '/var/lib/nocpulse/\.ssh/authorized_keys' > restorecon -rvv /var/lib/nocpulse Added to rhnmd.spec in Spacewalk master, fe016b4fb21fbabe80b49a608201f632d7f24515.
Spacewalk 1.6 has been released.