Hide Forgot
Description of problem: tog-pegasus is not stopped successfully, port 5989 is occupied by cimserver Version-Release number of selected component (if applicable): tog-pegasus-2.11.0-2.el6.i686 from rhel62 errata How reproducible: deterministic Steps to Reproduce: # /etc/init.d/tog-pegasus stop [ OK ] down CIM server: [FAILED] # /etc/init.d/tog-pegasus start Starting up CIM server: [ OK ] # /etc/init.d/tog-pegasus stop [ OK ] down CIM server: [ OK ] # /etc/init.d/tog-pegasus start Starting up CIM server: cimserver not started: Bind failed: Failed to bind socket on port 5989: Address already in use (error code 98). [FAILED] # /etc/init.d/tog-pegasus stop [ OK ] down CIM server: [FAILED] # /etc/init.d/tog-pegasus start Starting up CIM server: cimserver not started: Bind failed: Failed to bind socket on port 5989: Address already in use (error code 98). [FAILED] # /etc/init.d/tog-pegasus stop [ OK ] down CIM server: [FAILED] # netstat -putna | grep 5989 tcp 0 0 :::5989 :::* LISTEN 12304/cimservermain Actual results: socket on port 5989: Address already in use (error code 98). Expected results: port is release Additional info: old behavior: [root@tyan-gt24-09 bz426578-CVE2008-0003-pam-overflow]# /etc/init.d/tog-pegasus start tog-pegasus start: /usr/sbin/cimserver is already running [root@tyan-gt24-09 bz426578-CVE2008-0003-pam-overflow]# /etc/init.d/tog-pegasus stop [ OK ] down CIM server: [ OK ] [root@tyan-gt24-09 bz426578-CVE2008-0003-pam-overflow]# /etc/init.d/tog-pegasus start Starting up CIM server: [ OK ] [root@tyan-gt24-09 bz426578-CVE2008-0003-pam-overflow]# /etc/init.d/tog-pegasus stop [ OK ] down CIM server: [ OK ] [root@tyan-gt24-09 bz426578-CVE2008-0003-pam-overflow]# rpm -q tog-pegasus tog-pegasus-2.9.1-5.el6.i686
[root@kvm-guest-06 ~]# service tog-pegasus start Starting up CIM server: cimserver not started: Bind failed: Failed to bind socket on port 5989: Address already in use (error code 98). [FAILED] [root@kvm-guest-06 ~]# netstat -putna | grep 5989 tcp 0 0 :::5989 :::* LISTEN 2566/cimservermain [root@kvm-guest-06 ~]# ps aux | grep cimservermain cimsrvr 2566 0.0 0.8 391848 8732 ? Sl 06:27 0:00 cimservermain --executor-socket 3 root 2694 0.0 0.0 103228 852 pts/0 S+ 06:34 0:00 grep cimservermain [root@kvm-guest-06 ~]# kill 2566 [root@kvm-guest-06 ~]# service tog-pegasus start Starting up CIM server: [ OK ] It's because of Privilege Separation feature. There are now two tog-pegasus processes - cimserver (killed in init script) and cimservermain, which should be killed by cimserver, but it's not, SELinux prevents it: type=AVC msg=audit(1315218438.116:78130): avc: denied { kill } for pid=2565 comm="cimserver" capability=5 scontext=unconfined_u:system_r:pegasus_t:s0 tcontext=unconfined_u:system_r:pegasus_t:s0 tclass=capability type=SYSCALL msg=audit(1315218438.116:78130): arch=c000003e syscall=62 success=no exit=-1 a0=a06 a1=f a2=7fff9b15915f a3=0 items=0 ppid=1 pid=2565 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cimserver" exe="/usr/sbin/cimserver" subj=unconfined_u:system_r:pegasus_t:s0 key=(null) The issue is also described in [1]. We have Privilege Separation enabled for the first time in RHEL. [1] https://bugzilla.redhat.com/show_bug.cgi?id=472609
If the part of this issue was SELinux then it was fixed in the latest policy # sesearch -A -s pegasus_t -t pegasus_t -c capability -p kill Found 1 semantic av rules: allow pegasus_t pegasus_t : capability { chown dac_override kill setgid setuid net_bind_service ipc_lock sys_nice audit_write } ;
tog-pegasus-2.11.0-2.el6.x86_64 OLD, selinux policy [root@sun-v40z-01 ~]# /etc/init.d/tog-pegasus stop Shutting down CIM server: type=AVC msg=audit(1316608183.191:112611): avc: denied { kill } for pid=6346 comm="cimserver" capability=5 scontext=unconfined_u:system_r:pegasus_t:s0 tcontext=unconfined_u:system_r:pegasus_t:s0 tclass=capability [ OK ] [root@sun-v40z-01 ~]# /etc/init.d/tog-pegasus start Starting up CIM server: cimserver not started: Bind failed: Failed to bind socket on port 5989: Address already in use (error code 98). type=AVC msg=audit(1316608186.806:112612): avc: denied { kill } for pid=6520 comm="cimserver" capability=5 scontext=unconfined_u:system_r:pegasus_t:s0 tcontext=unconfined_u:system_r:pegasus_t:s0 tclass=capability [FAILED] NEW, selinux-policy-3.7.19-112.el6.noarch: [root@sun-v40z-01 ~]# /etc/init.d/tog-pegasus stop [ OK ] down CIM server: [FAILED] [root@sun-v40z-01 ~]# /etc/init.d/tog-pegasus start Starting up CIM server: [ OK ] [root@sun-v40z-01 ~]# /etc/init.d/tog-pegasus restart [ OK ] down CIM server: [ OK ] Starting up CIM server: [ OK ] [root@sun-v40z-01 ~]# /etc/init.d/tog-pegasus stop [ OK ] down CIM server: [ OK ] [root@sun-v40z-01 ~]# netstat -putna | grep 5989 [root@sun-v40z-01 ~]#
*** This bug has been marked as a duplicate of bug 723977 ***