Bug 1170616
| Summary: | missing fcontext definition for /var/cache/rhn/satsync | ||
|---|---|---|---|
| Product: | Red Hat Satellite 5 | Reporter: | Lukas Pramuk <lpramuk> |
| Component: | Satellite Synchronization | Assignee: | Michael Mráka <mmraka> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Lukas Pramuk <lpramuk> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | cperry, pstudeni |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | spacewalk-backend-2.3.3-23-sat | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-01-13 10:19:17 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1127215 | ||
|
Description
Lukas Pramuk
2014-12-04 13:09:39 UTC
Well, it the other way round - /var/cache/rhn/satsync is explicitly set to var_t in spacewalk-selinux but files has been created with wrong context (inherited from /var/cache/rhn -> /var/cache/rhn/satsync -> /var/cache/rhn/satsync/* at creation time).
So we need to create /var/cache/rhn/satsync with vat_t and all (sub) files/dirs will inherit correct context.
Fixed in spacewalk master by
commit 79e7d08f5f6d6481a172b3a37210fa9158771133
1170616 - create (and label) /var/cache/rhn/satsync
so all files under it are created with correct filecontext
Additional Makefile fix in spacewalk master commit 03685e0ec495488559c51827850e066ff4906618 Backported to SATELLITE-5.7 as
commit 4d53035743b196c789e94b01514049ca74c5627a
1170616 - create (and label) /var/cache/rhn/satsync
so all files under it are created with correct filecontext
VERIFIED. spacewalk-backend-2.3.3-23.el6sat.noarch SELinux context of /var/cache/rhn/satsync was set to var_t already before the fix. # semanage fcontext -l | grep /var/cache/rhn/satsync /var/cache/rhn/satsync(/.*)? all files system_u:object_r:var_t:s0 But now this directory is created during rpm install with correct context, so it won't be labelled differently (as inherited from upper directory) # ll -dZ /var/cache/rhn/satsync drwxr-xr-x. root root unconfined_u:object_r:var_t:s0 /var/cache/rhn/satsync Finally, filecontext restore has nothing to do here: FIX: # restorecon -rv /var/cache/rhn/satsync <empy> vs. REPRODUCER: # restorecon -rv /var/cache/rhn/satsync restorecon reset /var/cache/rhn/satsync context unconfined_u:object_r:spacewalk_cache_t:s0->unconfined_u:object_r:var_t:s0 restorecon reset /var/cache/rhn/satsync/errata context unconfined_u:object_r:spacewalk_cache_t:s0->unconfined_u:object_r:var_t:s0 ... Reveriffied with spacewalk-java-2.3.8-96.el6sat.noarch ll -dZ /var/cache/rhn/satsync drwxr-xr-x. root root system_u:object_r:var_t:s0 /var/cache/rhn/satsync /var/cache/rhn/satsync(/.*)? all files system_u:object_r:var_t:s0 With the release of Red Hat Satellite 5.7 on January 12th 2015 this bug is being moved to a Closed Current Release state. The Satellite 5.7 GA Errata: - https://rhn.redhat.com/errata/RHSA-2015-0033.html Satellite 5.7 Release Notes: - https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/5.7/html-single/Release_Notes/index.html Satellite Customer Portal Blog announcement for release: - https://access.redhat.com/blogs/1169563/posts/1315743 Cliff |