Bug 735014 - tog-pegasus is not stopped successfully, port 5989: Address already in use
Summary: tog-pegasus is not stopped successfully, port 5989: Address already in use
Keywords:
Status: CLOSED DUPLICATE of bug 723977
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: tog-pegasus
Version: 6.2
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: ---
Assignee: Vitezslav Crhonek
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-01 07:42 UTC by Petr Sklenar ⛄
Modified: 2011-09-21 12:38 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-09-21 12:38:46 UTC


Attachments (Terms of Use)

Description Petr Sklenar ⛄ 2011-09-01 07:42:00 UTC
Description of problem:
tog-pegasus is not stopped successfully, port 5989 is occupied by cimserver

Version-Release number of selected component (if applicable):
tog-pegasus-2.11.0-2.el6.i686 from rhel62 errata

How reproducible:
deterministic

Steps to Reproduce:
# /etc/init.d/tog-pegasus stop
[  OK  ] down CIM server: [FAILED]
# /etc/init.d/tog-pegasus start
Starting up CIM server: [  OK  ]
# /etc/init.d/tog-pegasus stop
[  OK  ] down CIM server: [  OK  ]
# /etc/init.d/tog-pegasus start
Starting up CIM server: cimserver not started: Bind failed: Failed to bind socket on port 5989: Address already in use (error code 98).
[FAILED]
# /etc/init.d/tog-pegasus stop
[  OK  ] down CIM server: [FAILED]
# /etc/init.d/tog-pegasus start
Starting up CIM server: cimserver not started: Bind failed: Failed to bind socket on port 5989: Address already in use (error code 98).
[FAILED]
# /etc/init.d/tog-pegasus stop
[  OK  ] down CIM server: [FAILED]
# netstat -putna | grep 5989
tcp        0      0 :::5989                     :::*                        LISTEN      12304/cimservermain 


  
Actual results:
socket on port 5989: Address already in use (error code 98).

Expected results:
port is release

Additional info:
old behavior:
[root@tyan-gt24-09 bz426578-CVE2008-0003-pam-overflow]# /etc/init.d/tog-pegasus start
tog-pegasus start: /usr/sbin/cimserver is already running
[root@tyan-gt24-09 bz426578-CVE2008-0003-pam-overflow]# /etc/init.d/tog-pegasus stop
[  OK  ] down CIM server: [  OK  ]
[root@tyan-gt24-09 bz426578-CVE2008-0003-pam-overflow]# /etc/init.d/tog-pegasus start
Starting up CIM server: [  OK  ]
[root@tyan-gt24-09 bz426578-CVE2008-0003-pam-overflow]# /etc/init.d/tog-pegasus stop
[  OK  ] down CIM server: [  OK  ]
[root@tyan-gt24-09 bz426578-CVE2008-0003-pam-overflow]# rpm -q tog-pegasus
tog-pegasus-2.9.1-5.el6.i686

Comment 6 Vitezslav Crhonek 2011-09-05 11:01:29 UTC
[root@kvm-guest-06 ~]# service tog-pegasus start
Starting up CIM server: cimserver not started: Bind failed: Failed to bind socket on port 5989: Address already in use (error code 98).
[FAILED]
[root@kvm-guest-06 ~]# netstat -putna | grep 5989
tcp        0      0 :::5989                     :::*                        LISTEN      2566/cimservermain  
[root@kvm-guest-06 ~]# ps aux | grep cimservermain
cimsrvr   2566  0.0  0.8 391848  8732 ?        Sl   06:27   0:00 cimservermain --executor-socket 3
root      2694  0.0  0.0 103228   852 pts/0    S+   06:34   0:00 grep cimservermain
[root@kvm-guest-06 ~]# kill 2566
[root@kvm-guest-06 ~]# service tog-pegasus start
Starting up CIM server: [  OK  ]

It's because of Privilege Separation feature. There are now two tog-pegasus processes - cimserver (killed in init script) and cimservermain, which should be killed by cimserver, but it's not, SELinux prevents it:

type=AVC msg=audit(1315218438.116:78130): avc:  denied  { kill } for  pid=2565 comm="cimserver" capability=5  scontext=unconfined_u:system_r:pegasus_t:s0 tcontext=unconfined_u:system_r:pegasus_t:s0 tclass=capability
type=SYSCALL msg=audit(1315218438.116:78130): arch=c000003e syscall=62 success=no exit=-1 a0=a06 a1=f a2=7fff9b15915f a3=0 items=0 ppid=1 pid=2565 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cimserver" exe="/usr/sbin/cimserver" subj=unconfined_u:system_r:pegasus_t:s0 key=(null)

The issue is also described in [1]. We have Privilege Separation enabled for the first time in RHEL.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=472609

Comment 8 Miroslav Grepl 2011-09-21 10:31:30 UTC
If the part of this issue was SELinux then it was fixed in the latest policy

# sesearch -A -s pegasus_t -t pegasus_t -c capability -p kill
Found 1 semantic av rules:
   allow pegasus_t pegasus_t : capability { chown dac_override kill setgid setuid net_bind_service ipc_lock sys_nice audit_write } ;

Comment 9 Petr Sklenar ⛄ 2011-09-21 12:37:00 UTC
tog-pegasus-2.11.0-2.el6.x86_64

OLD, selinux policy 
[root@sun-v40z-01 ~]# /etc/init.d/tog-pegasus stop
Shutting down CIM server: type=AVC msg=audit(1316608183.191:112611): avc:  denied  { kill } for  pid=6346 comm="cimserver" capability=5  scontext=unconfined_u:system_r:pegasus_t:s0 tcontext=unconfined_u:system_r:pegasus_t:s0 tclass=capability
[  OK  ]
[root@sun-v40z-01 ~]# /etc/init.d/tog-pegasus start
Starting up CIM server: cimserver not started: Bind failed: Failed to bind socket on port 5989: Address already in use (error code 98).
type=AVC msg=audit(1316608186.806:112612): avc:  denied  { kill } for  pid=6520 comm="cimserver" capability=5  scontext=unconfined_u:system_r:pegasus_t:s0 tcontext=unconfined_u:system_r:pegasus_t:s0 tclass=capability
[FAILED]

NEW, selinux-policy-3.7.19-112.el6.noarch:
[root@sun-v40z-01 ~]# /etc/init.d/tog-pegasus stop
[  OK  ] down CIM server: [FAILED]
[root@sun-v40z-01 ~]# /etc/init.d/tog-pegasus start
Starting up CIM server: [  OK  ]
[root@sun-v40z-01 ~]# /etc/init.d/tog-pegasus restart
[  OK  ] down CIM server: [  OK  ]
Starting up CIM server: [  OK  ]
[root@sun-v40z-01 ~]# /etc/init.d/tog-pegasus stop
[  OK  ] down CIM server: [  OK  ]
[root@sun-v40z-01 ~]# netstat -putna | grep 5989
[root@sun-v40z-01 ~]#

Comment 10 Petr Sklenar ⛄ 2011-09-21 12:38:46 UTC

*** This bug has been marked as a duplicate of bug 723977 ***


Note You need to log in before you can comment on or make changes to this bug.