[Spacewalk-list] Selinux enforcing breaks rhnmd

[James Hogarth]

Hi,

I decided to try and make use of monitoring in Spacewalk...

I'm not sure when this might not have worked from (an old 1.7 instance
behaves this way and my new 1.8 does as well) but with selinux enforcing
I'm getting an AVC stopping rhnmd from working properly...

On start it shows:

service rhnmd restart
Stopping rhnmd:                                            [  OK  ]
Starting rhnmd:Could not load host key:
/var/lib/nocpulse/.ssh/nocpulse-identity
                                                           [  OK  ]

The selinux file type looks right so far as I can see:

ls -lZ /var/lib/nocpulse/.ssh/
-rw-------. nocpulse nocpulse system_u:object_r:ssh_home_t:s0
 authorized_keys
-rw-------. nocpulse nocpulse unconfined_u:object_r:sshd_key_t:s0
nocpulse-identity
-rw-r--r--. nocpulse nocpulse
unconfined_u:object_r:spacewalk_monitoring_var_lib_t:s0
nocpulse-identity.pub

Using audit2allow shows:

#============= sshd_t ==============
allow sshd_t spacewalk_monitoring_var_lib_t:dir search;

Looking at the rhnmd process I see it as sshd_t

unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 10093 ? 00:00:00 rhnmd

Looking at the TE file it looks like the type should really
be spacewalk_monitoring_t ?

Popping over to permissive things work as you'd expect with the following
AVC:

#============= sshd_t ==============
allow sshd_t spacewalk_monitoring_var_lib_t:dir search;

A quick check of bugzilla didn't reveal much but my search terms there
might not have been optimal...

Any ideas?

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20121108/142fdbb7/attachment.htm>