Description of problem: type=AVC msg=audit(1297781940.124:73164): avc: denied { name_bind } for pid=24556 comm="rhnmd" src=4545 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket Version-Release number of selected component (if applicable): rhnmd-5.3.7-1.fc13.noarch (from F14 client repo) Actual results: $(service rhnmd start) reports OK but rhnmd is not actually running. $(service rhnmd stop) will report FAILED. Expected results: rhnmd up and running
My fault, I mixed up versions - this was never tested in post-1.3 :)
Hello, Working on this.. Kind Regards, Marcelo Moreira de Mello
Hello, Issue reproduced in Spacewalk 1.4 nightly build. type=AVC msg=audit(1302409997.445:52858): avc: denied { name_bind } for pid=14302 comm="rhnmd" src=4545 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1302409997.445:52858): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7f8735e36760 a2=10 a3=7fff4d9bc8f8 items=0 ppid=1 pid=14302 auid=0 uid=492 gid=488 euid=492 suid=492 fsuid=492 egid=488 sgid=488 fsgid=488 tty=(none) ses=4 comm="rhnmd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) Working on this. Cheers, Marcelo Moreira de Mello
When starting the monitoring scout service, gogo.pl script also are blocked by SELinux. type=AVC msg=audit(1302412097.191:55060): avc: denied { getattr } for pid=9321 comm="gogo.pl" path="/usr/sbin/sendmail.sendmail" dev=dm-0 ino=36670 scontext=unconfined_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file type=SYSCALL msg=audit(1302412097.191:55060): arch=c000003e syscall=4 success=no exit=-13 a0=1932020 a1=16cf138 a2=16cf138 a3=0 items=0 ppid=9320 pid=9321 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="gogo.pl" exe="/usr/bin/perl" subj=unconfined_u:system_r:spacewalk_monitoring_t:s0 key=(null) type=AVC msg=audit(1302412097.228:55061): avc: denied { getattr } for pid=9319 comm="dequeue" path="/usr/sbin/sendmail.sendmail" dev=dm-0 ino=36670 scontext=unconfined_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file type=SYSCALL msg=audit(1302412097.228:55061): arch=c000003e syscall=4 success=no exit=-13 a0=1782ae0 a1=15c1138 a2=15c1138 a3=0 items=0 ppid=9318 pid=9319 auid=0 uid=492 gid=488 euid=492 suid=492 fsuid=492 egid=488 sgid=488 fsgid=488 tty=pts1 ses=3 comm="dequeue" exe="/usr/bin/perl" subj=unconfined_u:system_r:spacewalk_monitoring_t:s0 key=(null)
kernel.pl is also denied by SELinux type=AVC msg=audit(1302412321.541:55277): avc: denied { getattr } for pid=10593 comm="kernel.pl" path="/usr/sbin/sendmail.sendmail" dev=dm-0 ino=36670 scontext=unconfined_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:sendmail_exec_t:s0 tclass=file type=SYSCALL msg=audit(1302412321.541:55277): arch=c000003e syscall=4 success=no exit=-13 a0=10ed620 a1=f6f138 a2=f6f138 a3=0 items=0 ppid=10591 pid=10593 auid=0 uid=492 gid=488 euid=492 suid=492 fsuid=492 egid=488 sgid=488 fsgid=488 tty=pts1 ses=3 comm="kernel.pl" exe="/usr/bin/perl" subj=unconfined_u:system_r:spacewalk_monitoring_t:s0 key=(null)
Created attachment 491033 [details] 0001-rhbz-677680-fix-SELinux-denies-RHNMD-binds-port-4545.patch Hello, This patch fix the SELinux denies for RHNMD daemon when binding 4545 tcp port. Patch already sent to spacewalk-devel mailing list for approval. Cheers, Marcelo Moreira de Mello
Moving to space16.
There are more problems to rhnmd with SELinux, we consolidate them in bug 594647. The monitoring sendmail_exec_t (server-side) issue was addressed in bug 588923. *** This bug has been marked as a duplicate of bug 594647 ***