View Issue Details

IDProjectCategoryView StatusLast Update
0000086Rocky-Linux-8subscription-managerpublic2023-05-28 08:49
ReporterLukas Magauer Assigned ToRelease Engineering  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Summary0000086: SELinux is preventing rhsmcertd-worke from create access on the directory repos
DescriptionLooks like I found a bug in rhsm.
First, I hope it's okay to open an issue here first, to document, as tracking down the issue might take a longer time.

I saw on one of my systems weird SELinux messages, and then further searched on others as well, so I'm sure it comes down to the following environmental setup:
- Rocky Linux 8.5 with the latest packages installed to date
- Hosted on VMware ESXi 7.0U3c
- Servers are configured against a Katello 4.3 instance, which serves the repos
- Servers have different repos connected, but it looks to only be happening with the AppStream repo
- Servers with the error and also servers without the error have totally different module streams enabled and I don't see it appearing to be in connection with that
- Server also have pretty much different packages installed

And finally here is the information from sealert:

# sealert -l a1a79840-7651-4d36-ad6c-941801221c8b
SELinux is preventing rhsmcertd-worke from create access on the directory repos.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that rhsmcertd-worke should be allowed create access on the repos directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rhsmcertd-worke' --raw | audit2allow -M my-rhsmcertdworke
# semodule -X 300 -i my-rhsmcertdworke.pp


Additional Information:
Source Context system_u:system_r:rhsmcertd_t:s0
Target Context system_u:object_r:rpm_var_lib_t:s0
Target Objects repos [ dir ]
Source rhsmcertd-worke
Source Path rhsmcertd-worke
Port <Unknown>
Host r8-ntopng-prod.fritz.box
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-80.el8_5.2.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-80.el8_5.2.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name r8-ntopng-prod.fritz.box
Platform Linux r8-ntopng-prod.fritz.box
                              4.18.0-348.el8.0.2.x86_64 #1 SMP Sun Nov 14
                              00:51:12 UTC 2021 x86_64 x86_64
Alert Count 1
First Seen 2022-03-25 23:14:57 CET
Last Seen 2022-03-25 23:14:57 CET
Local ID a1a79840-7651-4d36-ad6c-941801221c8b

Raw Audit Messages
type=AVC msg=audit(1648246497.243:698): avc: denied { create } for pid=182053 comm="rhsmcertd-worke" name="repos" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir permissive=0


Hash: rhsmcertd-worke,rhsmcertd_t,rpm_var_lib_t,dir,create



After seeing that output, I further searched in the rhsm.log file, which clearly shows from where the error is coming:

# cat /var/log/rhsm/rhsm.log | grep ERROR
2022-03-20 04:07:28,326 [ERROR] rhsmcertd-worker:1938239:MainThread @profile.py:145 - Unable to create sack object: Cannot create persistdir "/var/lib/dnf/repos/appstream-62ae9a0bbea44fbe": Permission denied
2022-03-20 08:07:28,402 [ERROR] rhsmcertd-worker:2097608:MainThread @profile.py:145 - Unable to create sack object: Cannot create persistdir "/var/lib/dnf/repos/appstream-62ae9a0bbea44fbe": Permission denied



I was already searching for this error in RedHat's Bugzilla, but only found similar once which don't appear to be the same issue
https://bugzilla.redhat.com/buglist.cgi?query_format=advanced&short_desc=SELinux%20is%20preventing%20rhsmcertd-worke&short_desc_type=allwordssubstr

That's everything I found out up to now, if I can add more input, will off course do that
Unfortunately I can't test it with RHEL 8 right now as I don't have any commercial licenses I could add to Katello. Maybe somebody else could help on that part.

Thank you in advance!
TagsNo tags attached.

Activities

Lukas Magauer

Lukas Magauer

2023-05-28 08:49

QA   ~0003533

This was fixed by an upstream change to the subscription-manager SELinux policies.

Issue History

Date Modified Username Field Change
2023-05-28 08:49 Lukas Magauer Status assigned => resolved
2023-05-28 08:49 Lukas Magauer Resolution open => fixed
2023-05-28 08:49 Lukas Magauer Note Added: 0003533