What is the correct port_type for rhsmd service?

Jack BeNimble asked:

I’m running RHEL 7.6 from behind a proxy. I’ve entered the proxy information in a few configuration files and have generally succeeded in gaining access to the rhel repositories, especially when using yum from the command line.

However, I keep getting “New SELinux Security Alert, AVC denial, click icon to view”. I’m getting erratic results from the package installer GUI, so I’m wondering if this is the problem.

If I do this search:

sealert -a /var/log/audit/audit.log

It reveals the following error message:

If you want to allow rhsmd to connect to network port 10415
Then you need to modify the port type.
Do
semanage port -a -t PORT_TYPE -p tcp 10415
where PORT_TYPE is one of the following: dns_port_t, dnssec_port_t, http_cache_port_t, http_port_t, netport_port_t, squid_port_t, websm_port_t.

Any idea which port_type is would be the correct one? I tried http_port_t, but no luck.

p.s. I also tried another option suggested in the error message as as well, but no luck there:

ausearch -c 'rhsmd' --raw | audit2allow -M my-rhsmd
semodule -i my-rhsmd.pp

Edit: Here’s the entire text of the message:

SELinux is preventing rhsmd from name_connect access on the tcp_socket port 10415.

***** Plugin connect_ports (92.2 confidence) suggests *********************

If you want to allow rhsmd to connect to network port 10415
Then you need to modify the port type.
Do

semanage port -a -t PORT_TYPE -p tcp 10415

where PORT_TYPE is one of the following: dns_port_t, dnssec_port_t, http_cache_port_t, http_port_t, netport_port_t, squid_port_t, websm_port_t.

***** Plugin catchall_boolean (7.83 confidence) suggests ******************

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the ‘nis_enabled’ boolean.

Do
setsebool -P nis_enabled 1

***** Plugin catchall (1.41 confidence) suggests **************************

If you believe that rhsmd should be allowed name_connect access on the port 10415 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

ausearch -c ‘rhsmd’ –raw | audit2allow -M my-rhsmd

semodule -i my-rhsmd.pp

Additional Information:
Source Context system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023
Target Context system_u:object_r:unreserved_port_t:s0
Target Objects port 10415 [ tcp_socket ]
Source rhsmd
1,1 Top

My answer:


You should do what the first recommendation says, beecause you are using port 10415 as an HTTP proxy. So you should tell SELinux to allow such traffic to that port. For example:

semanage port -a -t http_port_t -p tcp 10415

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.