-
Bug
-
Resolution: Duplicate
-
Normal
-
None
-
rhel-8.10
-
None
-
Medium
-
sst_security_selinux
-
ssg_security
-
None
-
QE ack, Dev ack
-
False
-
-
No
-
None
-
If docs needed, set a value
-
-
ppc64le
-
None
Description of problem:
During the course of automated testing of subscription-manager on ppc64le, the following selinux denials have been appearing regularly...
Here is the denials in /var/log/audit.log...
type=AVC msg=audit(1689950723.971:7026): avc: denied
{ write } for pid=47447 comm="lscpu" name="mem" dev="devtmpfs" ino=3 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file permissive=0type=AVC msg=audit(1689950724.041:7027): avc: denied { write }
for pid=47520 comm="lscpu" name="mem" dev="devtmpfs" ino=3 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file permissive=0
Here is the tail of /var/log/rhsm/rhsm.log corresponding to the time of the denials above...
2023-07-21 10:45:25,005 [DEBUG] rhsmcertd-worker:47327:MainThread @lock.py:226 - Unlocking file /run/rhsm/cert.pid
2023-07-21 10:45:25,005 [DEBUG] rhsmcertd-worker:47327:MainThread @base_action_client.py:82 - running lib: <subscription_manager.installedproductslib.InstalledProductsActionInvoker object at 0x7fffa0fc8340>
2023-07-21 10:45:25,005 [DEBUG] rhsmcertd-worker:47327:MainThread @lock.py:181 - Locking file: /run/rhsm/cert.pid
2023-07-21 10:45:25,005 [DEBUG] rhsmcertd-worker:47327:MainThread @cache.py:187 - Checking current system info against cache: /var/lib/rhsm/cache/installed_products.json
2023-07-21 10:45:25,005 [DEBUG] rhsmcertd-worker:47327:MainThread @cache.py:205 - No changes.
2023-07-21 10:45:25,005 [DEBUG] rhsmcertd-worker:47327:MainThread @lock.py:226 - Unlocking file /run/rhsm/cert.pid
2023-07-21 10:45:25,006 [DEBUG] rhsmcertd-worker:47327:MainThread @base_action_client.py:82 - running lib: <subscription_manager.syspurposelib.SyspurposeSyncActionInvoker object at 0x7fffa0fc84c0>
2023-07-21 10:45:25,006 [DEBUG] rhsmcertd-worker:47327:MainThread @lock.py:181 - Locking file: /run/rhsm/cert.pid
2023-07-21 10:45:25,006 [DEBUG] rhsmcertd-worker:47327:MainThread @files.py:390 - Successfully read cached syspurpose contents.
2023-07-21 10:45:25,006 [DEBUG] rhsmcertd-worker:47327:MainThread @files.py:290 - Attempting to sync syspurpose content...
2023-07-21 10:45:25,006 [DEBUG] rhsmcertd-worker:47327:MainThread @connection.py:1116 - Making request: GET /subscription/consumers/d2154a89-29e9-47d8-8f6b-574523b30679
2023-07-21 10:45:25,007 [DEBUG] rhsmcertd-worker:47327:MainThread @connection.py:755 - Creating new connection
2023-07-21 10:45:25,009 [DEBUG] rhsmcertd-worker:47327:MainThread @connection.py:725 - Loaded CA certificates from /etc/rhsm/ca/: redhat-entitlement-authority.pem, redhat-uep.pem
2023-07-21 10:45:25,047 [DEBUG] rhsmcertd-worker:47327:MainThread @connection.py:820 - Created connection: <ssl.SSLSocket fd=5, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('10.0.2.181', 52774), raddr=('10.2.77.208', 443)>
2023-07-21 10:45:25,121 [DEBUG] rhsmcertd-worker:47327:MainThread @connection.py:1196 - Response time: 0.000141143798828125, Smoothed response time: 0.00016839908719062805
2023-07-21 10:45:25,121 [DEBUG] rhsmcertd-worker:47327:MainThread @connection.py:1150 - Response: status=200, requestUuid=613990c5-3f32-4144-bb8b-775981c3eb6e, request="GET /subscription/consumers/d2154a89-29e9-47d8-8f6b-574523b30679"
2023-07-21 10:45:25,121 [DEBUG] rhsmcertd-worker:47327:MainThread @connection.py:1156 - Server wants to close connection. Closing HTTP connection
2023-07-21 10:45:25,122 [DEBUG] rhsmcertd-worker:47327:MainThread @files.py:379 - Successfully read remote syspurpose from server.
2023-07-21 10:45:25,122 [DEBUG] rhsmcertd-worker:47327:MainThread @files.py:390 - Successfully read cached syspurpose contents.
2023-07-21 10:45:25,122 [DEBUG] rhsmcertd-worker:47327:MainThread @files.py:699 - Attempting a three-way merge...
2023-07-21 10:45:25,123 [DEBUG] rhsmcertd-worker:47327:MainThread @files.py:651 - Successfully updated syspurpose values at '/etc/rhsm/syspurpose/syspurpose.json'.
2023-07-21 10:45:25,123 [DEBUG] rhsmcertd-worker:47327:MainThread @files.py:652 - Failed to update syspurpose values at '/etc/rhsm/syspurpose/syspurpose.json'.
2023-07-21 10:45:25,123 [DEBUG] rhsmcertd-worker:47327:MainThread @files.py:651 - Successfully updated syspurpose values at '/var/lib/rhsm/cache/syspurpose.json'.
2023-07-21 10:45:25,123 [DEBUG] rhsmcertd-worker:47327:MainThread @files.py:652 - Failed to update syspurpose values at '/var/lib/rhsm/cache/syspurpose.json'.
2023-07-21 10:45:25,123 [DEBUG] rhsmcertd-worker:47327:MainThread @files.py:316 - Successfully synced system purpose.
2023-07-21 10:45:25,123 [DEBUG] rhsmcertd-worker:47327:MainThread @syspurposelib.py:282 - Syspurpose updated: Syspurpose Sync
status: None
updates:
exceptions:
2023-07-21 10:45:25,123 [DEBUG] rhsmcertd-worker:47327:MainThread @lock.py:226 - Unlocking file /run/rhsm/cert.pid
2023-07-21 10:45:25,124 [DEBUG] rhsmcertd-worker:47327:MainThread @lock.py:226 - Unlocking file /run/rhsm/cert.pid
2023-07-21 10:45:25,473 [DEBUG] rhsmcertd-worker:47592:MainThread @rhsmcertd_worker.py:179 - X-Correlation-ID: 41195c07196a4d62bd7f0c17943f0b33
2023-07-21 10:45:25,473 [DEBUG] rhsmcertd-worker:47592:MainThread @rhsmcertd_worker.py:183 - check for rhsmcertd disable
2023-07-21 10:45:25,475 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:238 - Environment variable NO_PROXY= will be used
2023-07-21 10:45:25,475 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:622 - Creating new BaseRestLib instance
2023-07-21 10:45:25,475 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:364 - Connection built: host=subscription.rhsm.stage.redhat.com port=443 handler=/subscription auth=identity_cert ca_dir=/etc/rhsm/ca/ insecure=False
2023-07-21 10:45:25,475 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:1116 - Making request: GET /subscription/
2023-07-21 10:45:25,475 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:755 - Creating new connection
2023-07-21 10:45:25,479 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:725 - Loaded CA certificates from /etc/rhsm/ca/: redhat-entitlement-authority.pem, redhat-uep.pem
2023-07-21 10:45:25,517 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:820 - Created connection: <ssl.SSLSocket fd=5, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('10.0.2.181', 52782), raddr=('10.2.77.208', 443)>
2023-07-21 10:45:25,542 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:1196 - Response time: 0.000118255615234375, Smoothed response time: 0.000118255615234375
2023-07-21 10:45:25,542 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:1150 - Response: status=200, requestUuid=5366aa11-2447-44a7-86c0-702c76bc82fc, request="GET /subscription/"
2023-07-21 10:45:25,542 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:1156 - Server wants to close connection. Closing HTTP connection
2023-07-21 10:45:25,543 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:1405 - Server supports the following resources: {'entitlements': '/entitlements', '': '', 'subscriptions': '/subscriptions', 'roles': '/roles', 'jobs': '/jobs', 'activation_keys': '/activation_keys', 'admin': '/admin', 'pools': '/pools', 'rules': '/rules', 'owners': '/owners', 'cdn': '/cdn', 'content_overrides': '/consumers/
/packages'}
2023-07-21 10:45:25,543 [DEBUG] rhsmcertd-worker:47592:MainThread @lock.py:181 - Locking file: /run/rhsm/cert.pid
2023-07-21 10:45:25,543 [DEBUG] rhsmcertd-worker:47592:MainThread @base_action_client.py:82 - running lib: <subscription_manager.installedproductslib.InstalledProductsActionInvoker object at 0x7fffac398130>
2023-07-21 10:45:25,543 [DEBUG] rhsmcertd-worker:47592:MainThread @lock.py:181 - Locking file: /run/rhsm/cert.pid
2023-07-21 10:45:25,545 [DEBUG] rhsmcertd-worker:47592:MainThread @identity.py:142 - Loading consumer info from identity certificates.
2023-07-21 10:45:25,546 [DEBUG] rhsmcertd-worker:47592:MainThread @cache.py:187 - Checking current system info against cache: /var/lib/rhsm/cache/installed_products.json
2023-07-21 10:45:25,546 [DEBUG] rhsmcertd-worker:47592:MainThread @cache.py:205 - No changes.
2023-07-21 10:45:25,546 [DEBUG] rhsmcertd-worker:47592:MainThread @lock.py:226 - Unlocking file /run/rhsm/cert.pid
2023-07-21 10:45:25,546 [DEBUG] rhsmcertd-worker:47592:MainThread @base_action_client.py:82 - running lib: <subscription_manager.syspurposelib.SyspurposeSyncActionInvoker object at 0x7fffac3985e0>
2023-07-21 10:45:25,546 [DEBUG] rhsmcertd-worker:47592:MainThread @lock.py:181 - Locking file: /run/rhsm/cert.pid
2023-07-21 10:45:25,546 [DEBUG] rhsmcertd-worker:47592:MainThread @files.py:390 - Successfully read cached syspurpose contents.
2023-07-21 10:45:25,546 [DEBUG] rhsmcertd-worker:47592:MainThread @files.py:290 - Attempting to sync syspurpose content...
2023-07-21 10:45:25,547 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:1116 - Making request: GET /subscription/status
2023-07-21 10:45:25,547 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:755 - Creating new connection
2023-07-21 10:45:25,549 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:725 - Loaded CA certificates from /etc/rhsm/ca/: redhat-entitlement-authority.pem, redhat-uep.pem
2023-07-21 10:45:25,589 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:820 - Created connection: <ssl.SSLSocket fd=5, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('10.0.2.181', 52788), raddr=('10.2.77.208', 443)>
2023-07-21 10:45:25,615 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:1196 - Response time: 0.00011038780212402344, Smoothed response time: 0.00011746883392333985
2023-07-21 10:45:25,615 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:1150 - Response: status=200, requestUuid=069bfd1f-647f-45e9-90b4-2c3f35fa7230, request="GET /subscription/status"
2023-07-21 10:45:25,615 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:1156 - Server wants to close connection. Closing HTTP connection
2023-07-21 10:45:25,615 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:1449 - Server has the following capabilities: ['keycloak_auth', 'cloud_registration', 'instance_multiplier', 'derived_product', 'vcpu', 'cert_v3', 'hypervisors_heartbeat', 'remove_by_pool_id', 'syspurpose', 'storage_band', 'device_auth', 'cores', 'ssl_verify_status', 'multi_environment', 'hypervisors_async', 'org_level_content_access', 'guest_limit', 'ram', 'batch_bind', 'combined_reporting']
2023-07-21 10:45:25,616 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:1116 - Making request: GET /subscription/consumers/d2154a89-29e9-47d8-8f6b-574523b30679
2023-07-21 10:45:25,616 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:755 - Creating new connection
2023-07-21 10:45:25,618 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:725 - Loaded CA certificates from /etc/rhsm/ca/: redhat-entitlement-authority.pem, redhat-uep.pem
2023-07-21 10:45:25,657 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:820 - Created connection: <ssl.SSLSocket fd=5, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('10.0.2.181', 52794), raddr=('10.2.77.208', 443)>
2023-07-21 10:45:25,727 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:1196 - Response time: 0.000110626220703125, Smoothed response time: 0.00011678457260131837
2023-07-21 10:45:25,728 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:1150 - Response: status=200, requestUuid=fa8164d3-d4b1-4e86-b710-74fd1c28c28f, request="GET /subscription/consumers/d2154a89-29e9-47d8-8f6b-574523b30679"
2023-07-21 10:45:25,728 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:1156 - Server wants to close connection. Closing HTTP connection
2023-07-21 10:45:25,728 [DEBUG] rhsmcertd-worker:47592:MainThread @files.py:379 - Successfully read remote syspurpose from server.
2023-07-21 10:45:25,728 [DEBUG] rhsmcertd-worker:47592:MainThread @files.py:390 - Successfully read cached syspurpose contents.
2023-07-21 10:45:25,728 [DEBUG] rhsmcertd-worker:47592:MainThread @files.py:699 - Attempting a three-way merge...
2023-07-21 10:45:25,729 [DEBUG] rhsmcertd-worker:47592:MainThread @files.py:651 - Successfully updated syspurpose values at '/etc/rhsm/syspurpose/syspurpose.json'.
2023-07-21 10:45:25,729 [DEBUG] rhsmcertd-worker:47592:MainThread @files.py:652 - Failed to update syspurpose values at '/etc/rhsm/syspurpose/syspurpose.json'.
2023-07-21 10:45:25,729 [DEBUG] rhsmcertd-worker:47592:MainThread @files.py:651 - Successfully updated syspurpose values at '/var/lib/rhsm/cache/syspurpose.json'.
2023-07-21 10:45:25,729 [DEBUG] rhsmcertd-worker:47592:MainThread @files.py:652 - Failed to update syspurpose values at '/var/lib/rhsm/cache/syspurpose.json'.
2023-07-21 10:45:25,729 [DEBUG] rhsmcertd-worker:47592:MainThread @files.py:316 - Successfully synced system purpose.
2023-07-21 10:45:25,729 [DEBUG] rhsmcertd-worker:47592:MainThread @syspurposelib.py:282 - Syspurpose updated: Syspurpose Sync
status: None
updates:
exceptions:
2023-07-21 10:45:25,729 [DEBUG] rhsmcertd-worker:47592:MainThread @lock.py:226 - Unlocking file /run/rhsm/cert.pid
2023-07-21 10:45:25,730 [DEBUG] rhsmcertd-worker:47592:MainThread @base_action_client.py:82 - running lib: <subscription_manager.healinglib.HealingActionInvoker object at 0x7fffac3982e0>
2023-07-21 10:45:25,730 [DEBUG] rhsmcertd-worker:47592:MainThread @lock.py:181 - Locking file: /run/rhsm/cert.pid
2023-07-21 10:45:25,730 [DEBUG] rhsmcertd-worker:47592:MainThread @plugins.py:592 - loaded plugin modules: []
2023-07-21 10:45:25,730 [DEBUG] rhsmcertd-worker:47592:MainThread @plugins.py:593 - loaded plugins: {}
2023-07-21 10:45:25,730 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:1116 - Making request: GET /subscription/consumers/d2154a89-29e9-47d8-8f6b-574523b30679
2023-07-21 10:45:25,731 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:755 - Creating new connection
2023-07-21 10:45:25,733 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:725 - Loaded CA certificates from /etc/rhsm/ca/: redhat-entitlement-authority.pem, redhat-uep.pem
2023-07-21 10:45:25,772 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:820 - Created connection: <ssl.SSLSocket fd=5, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('10.0.2.181', 52808), raddr=('10.2.77.208', 443)>
2023-07-21 10:45:25,850 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:1196 - Response time: 0.00012302398681640625, Smoothed response time: 0.00011740851402282715
2023-07-21 10:45:25,850 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:1150 - Response: status=200, requestUuid=acf90f1d-29f9-44d9-a669-229a71fb35ad, request="GET /subscription/consumers/d2154a89-29e9-47d8-8f6b-574523b30679"
2023-07-21 10:45:25,850 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:1156 - Server wants to close connection. Closing HTTP connection
2023-07-21 10:45:25,851 [WARNING] rhsmcertd-worker:47592:MainThread @healinglib.py:86 - Auto-heal disabled on server, skipping.
2023-07-21 10:45:25,851 [DEBUG] rhsmcertd-worker:47592:MainThread @lock.py:226 - Unlocking file /run/rhsm/cert.pid
2023-07-21 10:45:25,851 [DEBUG] rhsmcertd-worker:47592:MainThread @base_action_client.py:82 - running lib: <subscription_manager.entcertlib.EntCertActionInvoker object at 0x7fffac400f10>
2023-07-21 10:45:25,851 [DEBUG] rhsmcertd-worker:47592:MainThread @lock.py:181 - Locking file: /run/rhsm/cert.pid
2023-07-21 10:45:25,852 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:1116 - Making request: GET /subscription/consumers/d2154a89-29e9-47d8-8f6b-574523b30679/certificates/serials
2023-07-21 10:45:25,852 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:755 - Creating new connection
2023-07-21 10:45:25,854 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:725 - Loaded CA certificates from /etc/rhsm/ca/: redhat-entitlement-authority.pem, redhat-uep.pem
2023-07-21 10:45:25,891 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:820 - Created connection: <ssl.SSLSocket fd=5, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('10.0.2.181', 52814), raddr=('10.2.77.208', 443)>
2023-07-21 10:45:25,953 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:1196 - Response time: 0.00012183189392089844, Smoothed response time: 0.00011785085201263428
2023-07-21 10:45:25,953 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:1150 - Response: status=200, requestUuid=5a3481c3-64c5-4e4f-8775-42fa507a8fb2, request="GET /subscription/consumers/d2154a89-29e9-47d8-8f6b-574523b30679/certificates/serials"
2023-07-21 10:45:25,953 [DEBUG] rhsmcertd-worker:47592:MainThread @connection.py:1156 - Server wants to close connection. Closing HTTP connection
2023-07-21 10:45:25,953 [INFO] rhsmcertd-worker:47592:MainThread @entcertlib.py:107 - certs updated:
Total updates: 0
Found (local) serial# []
Expected (UEP) serial# []
Added (new)
<NONE>
Deleted (rogue):
<NONE>
2023-07-21 10:45:25,954 [DEBUG] rhsmcertd-worker:47592:MainThread @lock.py:226 - Unlocking file /run/rhsm/cert.pid
2023-07-21 10:45:25,954 [DEBUG] rhsmcertd-worker:47592:MainThread @lock.py:226 - Unlocking file /run/rhsm/cert.pid
Here is the tail of /var/log/rhsm/rhsmcertd.log corresponding to the time of the denials above...
Fri Jul 21 10:45:23 2023 [DEBUG] (Cert check) executing: /usr/libexec/rhsmcertd-worker
Fri Jul 21 10:45:25 2023 [INFO] (Cert Check) Certificates updated.
Fri Jul 21 10:45:25 2023 [DEBUG] (Auto-attach) executing: /usr/libexec/rhsmcertd-worker --autoheal
Fri Jul 21 10:45:25 2023 [INFO] (Auto-attach) Certificates updated.
Version-Release number of selected component (if applicable):
[root@ibm-p9z-25-lp6 ~]# rpm -q subscription-manager selinux-policy
subscription-manager-1.29.35-1.el9.ppc64le
selinux-policy-38.1.17-1.el9.noarch
How reproducible:
Steps to Reproduce:
The automated IdentityTests.testIdentityIsBackedUpWhenConsumerIsDeletedServerSide(...) repeatedly produces this selinux denial.
Actual results:
selinux denials above
Expected results:
no selinux denials
Additional info:
- clones
-
RHEL-1547 encountering selinux denial on ppc64le during attempted write by lscpu during rhsmcertd process
- Closed