855885 – Clearing the rhn-proxy auth cache by removing folder /var/cache/rhn/proxy-auth on EL5 is not un option.

Bug 855885 - Clearing the rhn-proxy auth cache by removing folder /var/cache/rhn/proxy-auth on EL5 is not un option.

Summary: Clearing the rhn-proxy auth cache by removing folder /var/cache/rhn/proxy-au...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Satellite Proxy 5
Classification:	Red Hat
Component:	Server
Sub Component:
Version:	550
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Michael Mráka
QA Contact:	Red Hat Satellite QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	819027
TreeView+	depends on / blocked

Reported:	2012-09-10 14:12 UTC by Dimitar Yordanov
Modified:	2012-11-27 13:34 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-11-21 10:09:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Dimitar Yordanov 2012-09-10 14:12:42 UTC

Description of problem:
In case  /var/cache/rhn/proxy-auth is removed on EL5 the rhn-proxy is not able to create it again due to SElinux denial. This cause that rhn-proxy can not save its authentication token.

Easy workaround:

mkdir /var/cache/rhn/proxy-auth
chown apache:root /var/cache/rhn/proxy-auth
restorecon /var/cache/rhn/proxy-auth


Version-Release number of selected component (if applicable):
RHN-Proxy EL5 [5.4|5.5]

How reproducible:
100%

Steps to Reproduce:
1. Install RHN-Proxy on EL5 and activate it to Satellite.
2. Register a system to the RHN-Proxy (should pass).
3. Remove /var/cache/rhn/proxy-auth  on the system where RHN-Proxy runs.

  rm -fr /var/cache/rhn/proxy-auth

4. Try to register some system to RHN-Proxy once again (should fail).

Actual results:

type=AVC msg=audit(1347285180.433:221): avc:  denied  { write } for  pid=17915 comm="httpd" name="rhn" dev=dm-0 ino=77889933 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=AVC msg=audit(1347285180.433:221): avc:  denied  { add_name } for  pid=17915 comm="httpd" name="proxy-auth" scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=AVC msg=audit(1347285180.433:221): avc:  denied  { create } for  pid=17915 comm="httpd" name="proxy-auth" scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:var_t:s0 tclass=dir
type=SYSCALL msg=audit(1347285180.433:221): arch=c000003e syscall=83 success=yes exit=0 a0=2b484c46f9d0 a1=1ed a2=2b4847e7a438 a3=2 items=0 ppid=17876 pid=17915 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1347285180.433:222): avc:  denied  { setattr } for  pid=17915 comm="httpd" name="proxy-auth" dev=dm-0 ino=77955440 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:var_t:s0 tclass=dir
type=SYSCALL msg=audit(1347285180.433:222): arch=c000003e syscall=92 success=no exit=-1 a0=2b484c46f9d0 a1=30 a2=0 a3=2 items=0 ppid=17876 pid=17915 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1347285180.433:223): avc:  denied  { write } for  pid=17915 comm="httpd" name="proxy-auth" dev=dm-0 ino=77955440 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:var_t:s0 tclass=dir
type=AVC msg=audit(1347285180.433:223): avc:  denied  { add_name } for  pid=17915 comm="httpd" name="p1000010027130841d37ca1c6d56dfc3a2bd76947f45711803e" scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:var_t:s0 tclass=dir
type=AVC msg=audit(1347285180.433:223): avc:  denied  { create } for  pid=17915 comm="httpd" name="p1000010027130841d37ca1c6d56dfc3a2bd76947f45711803e" scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:var_t:s0 tclass=file
type=SYSCALL msg=audit(1347285180.433:223): arch=c000003e syscall=2 success=yes exit=18 a0=2b484ca6f000 a1=c1 a2=1a4 a3=6637343936376462 items=0 ppid=17876 pid=17915 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1347285180.433:224): avc:  denied  { getattr } for  pid=17915 comm="httpd" path="/var/cache/rhn/proxy-auth/p1000010027130841d37ca1c6d56dfc3a2bd76947f45711803e" dev=dm-0 ino=77955441 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:var_t:s0 tclass=file
type=SYSCALL msg=audit(1347285180.433:224): arch=c000003e syscall=4 success=yes exit=0 a0=2b484ca5dc70 a1=7fff1f41cb30 a2=7fff1f41cb30 a3=6637343936376462 items=0 ppid=17876 pid=17915 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1347285180.433:225): avc:  denied  { lock } for  pid=17915 comm="httpd" path="/var/cache/rhn/proxy-auth/p1000010027130841d37ca1c6d56dfc3a2bd76947f45711803e" dev=dm-0 ino=77955441 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:var_t:s0 tclass=file
type=SYSCALL msg=audit(1347285180.433:225): arch=c000003e syscall=72 success=yes exit=0 a0=12 a1=7 a2=7fff1f41cc90 a3=2b484c4a8428 items=0 ppid=17876 pid=17915 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1347285180.433:226): avc:  denied  { write } for  pid=17915 comm="httpd" path="/var/cache/rhn/proxy-auth/p1000010027130841d37ca1c6d56dfc3a2bd76947f45711803e" dev=dm-0 ino=77955441 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:var_t:s0 tclass=file
type=SYSCALL msg=audit(1347285180.433:226): arch=c000003e syscall=1 success=yes exit=104 a0=12 a1=2b484f4dc000 a2=68 a3=6f632e7461686465 items=0 ppid=17876 pid=17915 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1347285187.253:227): avc:  denied  { read } for  pid=17918 comm="httpd" name="p1000010027130841d37ca1c6d56dfc3a2bd76947f45711803e" dev=dm-0 ino=77955441 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:var_t:s0 tclass=file
type=SYSCALL msg=audit(1347285187.253:227): arch=c000003e syscall=21 success=yes exit=0 a0=2b484895b910 a1=4 a2=2b4847e7a438 a3=6637343936376462 items=0 ppid=17876 pid=17918 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)

Exception Handler Information
Traceback (most recent call last):
  File "/usr/share/rhn/proxy/rhnProxyAuth.py", line 149, in set_cached_token
    shelf[self.__cache_proxy_key()] = token
  File "/usr/share/rhn/proxy/rhnProxyAuth.py", line 399, in __setitem__
    return rhnCache.set(rkey, val)
  File "/usr/lib/python2.4/site-packages/spacewalk/common/rhnCache.py", line 85, in set
    cache.set(name, value, modified, user, group, mode)
  File "/usr/lib/python2.4/site-packages/spacewalk/common/rhnCache.py", line 373, in set
    self.cache.set(name, pickled, modified, user, group, mode)
  File "/usr/lib/python2.4/site-packages/spacewalk/common/rhnCache.py", line 259, in set
    fd = self.set_file(name, modified, user, group, mode)
  File "/usr/lib/python2.4/site-packages/spacewalk/common/rhnCache.py", line 296, in set_file
    fd = WriteLockedFile(name, modified, user, group, mode)
  File "/usr/lib/python2.4/site-packages/spacewalk/common/rhnCache.py", line 184, in __init__
    self.fd = self.get_fd(name, user, group, mode)
  File "/usr/lib/python2.4/site-packages/spacewalk/common/rhnCache.py", line 229, in get_fd
    fd = _safe_create(self.fname, user, group, mode)
  File "/usr/lib/python2.4/site-packages/spacewalk/common/rhnCache.py", line 136, in _safe_create
    makedirs(dirname, mode, user, group)
  File "/usr/lib/python2.4/site-packages/spacewalk/common/fileutils.py", line 253, in makedirs
    os.mkdir(dirname, mode)
OSError: [Errno 13] Permission denied: '/var/cache/rhn/proxy-auth'

Expected results:
/var/cache/rhn/proxy-auth  is recreated as it is on EL6.



#ll -Z /var/cache/rhn/proxy-auth/
-rw-r--r--  apache apache root:object_r:spacewalk_proxy_cache_t 1000010028
-rw-r--r--  apache apache root:object_r:spacewalk_proxy_cache_t p1000010027130841d37ca1c6d56dfc3a2bd76947f45711803e
# ll -Zd /var/cache/rhn/proxy-auth/
drwxr-x---  apache root system_u:object_r:spacewalk_proxy_cache_t /var/cache/rhn/proxy-auth/
# ll -Zd /var/cache/rhn
drwxr-x---  apache root system_u:object_r:var_t          /var/cache/rhn

Additional info:

Note You need to log in before you can comment on or make changes to this bug.