Bug 594647 - rhnmd with major SELinux problems on Fedora 13
Summary: rhnmd with major SELinux problems on Fedora 13
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Spacewalk
Classification: Community
Component: Clients
Version: 1.1
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Jan Pazdziora
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
: 677680 (view as bug list)
Depends On:
Blocks: space16
TreeView+ depends on / blocked
 
Reported: 2010-05-21 08:58 UTC by Sandro Mathys
Modified: 2011-12-22 16:50 UTC (History)
2 users (show)

Fixed In Version: rhnmd-5.3.10-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-22 16:50:07 UTC


Attachments (Terms of Use)

Description Sandro Mathys 2010-05-21 08:58:13 UTC
Description of problem:
If SELinux is enforced, rhnmd will start but not function. If SELinux is in permissive mode rhnmd works just fine. I'll deliver all extract I find useful below. If you need full log files I can attach them later.

/var/log/audit/audit.log:
type=AVC msg=audit(1274431807.396:22019): avc:  denied  { open } for  pid=2000 comm="rhnmd" name="nocpulse-identity" dev=dm-0 ino=6818370 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1274431807.396:22020): avc:  denied  { getattr } for  pid=2000 comm="rhnmd" path="/var/lib/nocpulse/.ssh/nocpulse-identity" dev=dm-0 ino=6818370 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1274431807.500:22022): avc:  denied  { getattr } for  pid=2000 comm="rhnmd" path="/var/lib/nocpulse/.ssh/authorized_keys" dev=dm-0 ino=6815832 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

/var/log/messages:
May 21 10:54:11 (none) setroubleshoot: SELinux is preventing /usr/sbin/sshd "read" access on /var/lib/nocpulse/.ssh/nocpulse-identity. For complete SELinux messages. run sealert -l d283fe86-2b8a-4a41-a587-1bdc7cde2304
May 21 11:00:19 (none) setroubleshoot: SELinux is preventing /usr/sbin/sshd "read" access on /var/lib/nocpulse/.ssh/authorized_keys. For complete SELinux messages. run sealert -l 267ce29a-1825-46c7-822f-bc210b3ffdfe

Version-Release number of selected component (if applicable):
openssh-server-5.4p1-1.fc13
selinux-policy-3.7.19-15.fc13
rhnmd-5.3.6-1.fc12 (from F12 1.0-client, i.e. not nightly)

How reproducible:
Always

Steps to Reproduce:
1. Install F13 with F12 1.0-client tools
2. Setup rhnmd
3. Start rhnmd
  
Actual results:
rhnmd is started but useless without host keys and authorized_keys

Expected results:
rhnmd is started and accessible by MonitoringScout

Additional info:
sealert -l d283fe86-2b8a-4a41-a587-1bdc7cde2304:
SELinux is preventing /usr/sbin/sshd "read" access on
/var/lib/nocpulse/.ssh/nocpulse-identity.

Source Context                unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                /var/lib/nocpulse/.ssh/nocpulse-identity [ file ]
Source                        rhnmd
Source Path                   /usr/sbin/sshd

---

sealert -l 267ce29a-1825-46c7-822f-bc210b3ffdfe:
SELinux is preventing /usr/sbin/sshd "read" access on
/var/lib/nocpulse/.ssh/authorized_keys.

Source Context                unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:var_lib_t:s0
Target Objects                /var/lib/nocpulse/.ssh/authorized_keys [ file ]
Source                        rhnmd
Source Path                   /usr/sbin/sshd

---

# ls -Z /var/lib/nocpulse/.ssh/
-rw-------. nocpulse nocpulse unconfined_u:object_r:var_lib_t:s0 authorized_keys
-rw-------. nocpulse nocpulse system_u:object_r:var_lib_t:s0   nocpulse-identity
-rw-r--r--. nocpulse nocpulse unconfined_u:object_r:var_lib_t:s0 nocpulse-identity.pub

# restorecon /var/lib/nocpulse/.ssh/*

# ls -Z /var/lib/nocpulse/.ssh/
-rw-------. nocpulse nocpulse unconfined_u:object_r:var_lib_t:s0 authorized_keys
-rw-------. nocpulse nocpulse system_u:object_r:var_lib_t:s0   nocpulse-identity
-rw-r--r--. nocpulse nocpulse unconfined_u:object_r:var_lib_t:s0 nocpulse-identity.pub

Comment 1 Sandro Mathys 2010-11-09 12:26:07 UTC
Just confirming that I can still reproduce this with F13 and 1.1-client tools

Comment 2 Jan Pazdziora 2010-11-19 16:05:17 UTC
Mass-moving to space13.

Comment 3 Miroslav Suchý 2011-04-11 07:33:57 UTC
We did not have time for this one during Spacewalk 1.4 time frame. Mass moving to Spacewalk 1.5.

Comment 4 Miroslav Suchý 2011-04-11 07:37:22 UTC
We did not have time for this one during Spacewalk 1.4 time frame. Mass moving to Spacewalk 1.5.

Comment 5 Jan Pazdziora 2011-07-20 11:52:28 UTC
Aligning under space16.

Comment 6 Jan Pazdziora 2011-08-19 10:18:06 UTC
Bug 677680 also reports that

type=AVC msg=audit(1302409997.445:52858): avc:  denied  { name_bind } for 
pid=14302 comm="rhnmd" src=4545
scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

is observed.

Comment 7 Jan Pazdziora 2011-08-19 10:20:00 UTC
*** Bug 677680 has been marked as a duplicate of this bug. ***

Comment 8 Jan Pazdziora 2011-10-07 14:47:32 UTC
On Fedora 15, I did see

type=AVC msg=audit(1317995087.159:95): avc:  denied  { read } for  pid=1194 comm="rhnmd" name="nocpulse-identity" dev=dm-1 ino=195 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1317995087.159:95): avc:  denied  { open } for  pid=1194 comm="rhnmd" name="nocpulse-identity" dev=dm-1 ino=195 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1317995087.161:96): avc:  denied  { getattr } for  pid=1194 comm="rhnmd" path="/var/lib/nocpulse/.ssh/nocpulse-identity" dev=dm-1 ino=195 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

upon startup, and then

type=AVC msg=audit(1317998553.493:141): avc:  denied  { read } for  pid=1505 comm="rhnmd" name="authorized_keys" dev=dm-1 ino=183 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1317998553.493:141): avc:  denied  { open } for  pid=1505 comm="rhnmd" name="authorized_keys" dev=dm-1 ino=183 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1317998553.495:142): avc:  denied  { getattr } for  pid=1505 comm="rhnmd" path="/var/lib/nocpulse/.ssh/authorized_keys" dev=dm-1 ino=183 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

when the scout connected.

I did address it on my box with

/usr/sbin/semanage fcontext -a -t sshd_key_t '/var/lib/nocpulse/\.ssh/nocpulse-identity'
/usr/sbin/semanage fcontext -a -t ssh_home_t '/var/lib/nocpulse/\.ssh/authorized_keys'
restorecon -rvv /var/lib/nocpulse

I wonder if this is what we want to do in (say) %post script of the rhnmd package? I did not see the name_bind AVC denial noted in bug 677680.

Comment 9 Jan Pazdziora 2011-10-07 14:55:34 UTC
(In reply to comment #8)
> I did address it on my box with
> 
> /usr/sbin/semanage fcontext -a -t sshd_key_t
> '/var/lib/nocpulse/\.ssh/nocpulse-identity'
> /usr/sbin/semanage fcontext -a -t ssh_home_t
> '/var/lib/nocpulse/\.ssh/authorized_keys'
> restorecon -rvv /var/lib/nocpulse

Added to rhnmd.spec in Spacewalk master, fe016b4fb21fbabe80b49a608201f632d7f24515.

Comment 10 Milan Zázrivec 2011-12-22 16:50:07 UTC
Spacewalk 1.6 has been released.


Note You need to log in before you can comment on or make changes to this bug.