View Issue Details

IDProjectCategoryView StatusLast Update
0000086Rocky-Linux-8subscription-managerpublic2022-03-26 00:38
ReporterLukas Magauer Assigned ToRelease Engineering  
PrioritynormalSeverityminorReproducibilityalways
Status assignedResolutionopen 
Summary0000086: SELinux is preventing rhsmcertd-worke from create access on the directory repos
DescriptionLooks like I found a bug in rhsm.
First, I hope it's okay to open an issue here first, to document, as tracking down the issue might take a longer time.

I saw on one of my systems weird SELinux messages, and then further searched on others as well, so I'm sure it comes down to the following environmental setup:
- Rocky Linux 8.5 with the latest packages installed to date
- Hosted on VMware ESXi 7.0U3c
- Servers are configured against a Katello 4.3 instance, which serves the repos
- Servers have different repos connected, but it looks to only be happening with the AppStream repo
- Servers with the error and also servers without the error have totally different module streams enabled and I don't see it appearing to be in connection with that
- Server also have pretty much different packages installed

And finally here is the information from sealert:

# sealert -l a1a79840-7651-4d36-ad6c-941801221c8b
SELinux is preventing rhsmcertd-worke from create access on the directory repos.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that rhsmcertd-worke should be allowed create access on the repos directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rhsmcertd-worke' --raw | audit2allow -M my-rhsmcertdworke
# semodule -X 300 -i my-rhsmcertdworke.pp


Additional Information:
Source Context system_u:system_r:rhsmcertd_t:s0
Target Context system_u:object_r:rpm_var_lib_t:s0
Target Objects repos [ dir ]
Source rhsmcertd-worke
Source Path rhsmcertd-worke
Port <Unknown>
Host r8-ntopng-prod.fritz.box
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-3.14.3-80.el8_5.2.noarch
Local Policy RPM selinux-policy-targeted-3.14.3-80.el8_5.2.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name r8-ntopng-prod.fritz.box
Platform Linux r8-ntopng-prod.fritz.box
                              4.18.0-348.el8.0.2.x86_64 #1 SMP Sun Nov 14
                              00:51:12 UTC 2021 x86_64 x86_64
Alert Count 1
First Seen 2022-03-25 23:14:57 CET
Last Seen 2022-03-25 23:14:57 CET
Local ID a1a79840-7651-4d36-ad6c-941801221c8b

Raw Audit Messages
type=AVC msg=audit(1648246497.243:698): avc: denied { create } for pid=182053 comm="rhsmcertd-worke" name="repos" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=dir permissive=0


Hash: rhsmcertd-worke,rhsmcertd_t,rpm_var_lib_t,dir,create



After seeing that output, I further searched in the rhsm.log file, which clearly shows from where the error is coming:

# cat /var/log/rhsm/rhsm.log | grep ERROR
2022-03-20 04:07:28,326 [ERROR] rhsmcertd-worker:1938239:MainThread @profile.py:145 - Unable to create sack object: Cannot create persistdir "/var/lib/dnf/repos/appstream-62ae9a0bbea44fbe": Permission denied
2022-03-20 08:07:28,402 [ERROR] rhsmcertd-worker:2097608:MainThread @profile.py:145 - Unable to create sack object: Cannot create persistdir "/var/lib/dnf/repos/appstream-62ae9a0bbea44fbe": Permission denied



I was already searching for this error in RedHat's Bugzilla, but only found similar once which don't appear to be the same issue
https://bugzilla.redhat.com/buglist.cgi?query_format=advanced&short_desc=SELinux%20is%20preventing%20rhsmcertd-worke&short_desc_type=allwordssubstr

That's everything I found out up to now, if I can add more input, will off course do that
Unfortunately I can't test it with RHEL 8 right now as I don't have any commercial licenses I could add to Katello. Maybe somebody else could help on that part.

Thank you in advance!
TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change