[Spacewalk-list] Selinux enforcing breaks rhnmd
James Hogarth
james.hogarth at gmail.com
Thu Nov 8 13:19:29 UTC 2012
Hi,
I decided to try and make use of monitoring in Spacewalk...
I'm not sure when this might not have worked from (an old 1.7 instance
behaves this way and my new 1.8 does as well) but with selinux enforcing
I'm getting an AVC stopping rhnmd from working properly...
On start it shows:
service rhnmd restart
Stopping rhnmd: [ OK ]
Starting rhnmd:Could not load host key:
/var/lib/nocpulse/.ssh/nocpulse-identity
[ OK ]
The selinux file type looks right so far as I can see:
ls -lZ /var/lib/nocpulse/.ssh/
-rw-------. nocpulse nocpulse system_u:object_r:ssh_home_t:s0
authorized_keys
-rw-------. nocpulse nocpulse unconfined_u:object_r:sshd_key_t:s0
nocpulse-identity
-rw-r--r--. nocpulse nocpulse
unconfined_u:object_r:spacewalk_monitoring_var_lib_t:s0
nocpulse-identity.pub
Using audit2allow shows:
#============= sshd_t ==============
allow sshd_t spacewalk_monitoring_var_lib_t:dir search;
Looking at the rhnmd process I see it as sshd_t
unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 10093 ? 00:00:00 rhnmd
Looking at the TE file it looks like the type should really
be spacewalk_monitoring_t ?
Popping over to permissive things work as you'd expect with the following
AVC:
#============= sshd_t ==============
allow sshd_t spacewalk_monitoring_var_lib_t:dir search;
A quick check of bugzilla didn't reveal much but my search terms there
might not have been optimal...
Any ideas?
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20121108/142fdbb7/attachment.htm>
More information about the Spacewalk-list
mailing list