Bug 514320

Could you please paste output of

# semodule -l

and

# getenforce

?

Also, did the problem show up on F11 or is this F10 issue only?

[root@sw2 ~]# semodule -l
ada	1.2.0
aide	1.4.0
amanda	1.10.0
amavis	1.8.0
amtu	1.1.0
apache	1.11.0
apcupsd	1.4.0
arpwatch	1.6.0
audio_entropy	1.4.0
automount	1.10.0
avahi	1.9.0
awstats	1.0.0
bind	1.8.0
bitlbee	1.1.0
bluetooth	2.2.0
calamaris	1.3.0
canna	1.8.0
ccs	1.3.0
cdrecord	1.4.0
certmaster	1.0.0
certwatch	1.0
cipe	1.4.0
clamav	1.6.0
comsat	1.5.0
consolekit	1.3.0
courier	1.6.0
cups	1.11.0
cvs	1.7.0
cyphesis	1.0.0
cyrus	1.7.0
daemontools	1.2.0
dbskk	1.4.0
dcc	1.6.0
dhcp	1.6.0
dictd	1.6.0
dnsmasq	1.6.0
dovecot	1.9.0
ethereal	1.5.0
exim	1.2.0
fail2ban	1.2.0
fetchmail	1.7.0
finger	1.7.0
ftp	1.9.0
games	1.7.0
gitosis	1.0.0
gnome	1.3.0
gnomeclock	1.0.0
gpg	1.6.0
gpm	1.5.0
gpsd	1.0.0
guest	1.0.0
hal	1.10.0
howl	1.6.0
inn	1.7.0
ipsec	1.8.0
irc	1.4.0
iscsid	1.5.0
jabber	1.4.6.1
java	1.8.0
kerberos	1.8.0
kerneloops	1.1.0
kismet	1.1.0
ktalk	1.6.0
ldap	1.8.0
lircd	1.0.0
livecd	1.0.0
lockdev	1.2.0
logadm	1.0.0
lpd	1.10.0
mailman	1.5.0
mailscanner	1.0.0
memcached	1.0.0
milter	1.0.0
mono	1.5.0
mozilla	1.6.0
mplayer	1.5.0
mrtg	1.5.0
munin	1.5.0
mysql	1.9.0
nagios	1.6.0
netlabel	1.2.0
nis	1.7.0
nsplugin	1.0.0
ntp	1.7.0
nx	1.3.0
oddjob	1.5.0
openct	1.3.0
openoffice	1.0.0
openvpn	1.6.0
oracle-nofcontext	1.1.1
osa-dispatcher	5.9.20.1
pads	0.0.1
pcscd	1.4.0
pegasus	1.6.0
pingd	1.0.0
podsleuth	1.0.0
polkit_auth	1.0.0
portmap	1.7.0
portreserve	1.0.0
postfix	1.9.0
postgresql	1.7.0
postgrey	1.5.0
ppp	1.9.0
prelude	1.0.0
privoxy	1.7.0
procmail	1.9.0
psad	1.0.0
publicfile	1.1.0
pyzor	1.6.0
qemu	1.0.0
qmail	1.4.0
radius	1.9.0
radvd	1.9.0
razor	1.4.0
rdisc	1.6.0
remotelogin	1.5.0
rhgb	1.7.0
ricci	1.4.0
rlogin	1.7.0
roundup	1.5.0
rpcbind	1.2.0
rshd	1.5.0
rsync	1.7.0
rwho	1.5.0
samba	1.10.0
sambagui	1.0.0
sasl	1.10.0
screen	1.4.0
slocate	1.8.0
smartmon	1.7.0
snmp	1.8.0
snort	1.6.0
soundserver	1.6.0
spacewalk-monitoring	0.6.12.1
spacewalk	0.6.13.1
spamassassin	1.10.0
squid	1.7.0
staff	1.0.0
stunnel	1.7.0
sysstat	1.3.0
tcpd	1.3.0
telnet	1.7.0
tftp	1.9.0
tmpreaper	1.3.0
tor	1.5.0
tvtime	1.4.0
ulogd	1.0.0
uml	1.6.0
unconfined	2.4.0
unprivuser	1.1.0
usbmodules	1.1.0
userhelper	1.4.0
usernetctl	1.4.0
uucp	1.8.0
virt	1.0.0
vmware	1.6.0
vpn	1.9.0
w3c	1.0.0
webadm	1.0.0
webalizer	1.7.0
wine	1.5.0
xen	1.7.0
xfs	1.4.0
xguest	1.0.0
zabbix	1.2.0
zebra	1.8.0
zosremote	1.0.0
[root@sw2 ~]# getenforce 
Permissive
[root@sw2 ~]# 



There's a separate bug files on F11 selinux issues, this issue does appear to be happening there as well.

The AVC denial

Jul 28 14:31:31 sw2 kernel: type=1400 audit(1248802291.037:11): avc:  denied  { execute } for  pid=4714 comm="osa-dispatcher" name="bash" dev=dm-0 ino=442460 scontext=unconfined_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

seems to be caused by the fact that the osa-dispatcher process calls

execve("/bin/sh", ["sh", "-c", "echo $HOME"], [/* 27 vars */]) = 0

It seems to be caused by rpm. The trouble is that even if the osa_dispatcher.py code essentially needs to do

server.rhnSQL.sql_base import sql_types

it loads server/__init__.py, and from there the rhnHandler, all the way up to rhn_rpm and rpm. And the rpm package presumably does more than just loading the Python code.

We actually have this problem described in bug 479987.

The AVC denial

Jul 28 14:31:31 sw2 kernel: type=1400 audit(1248802291.802:17): avc:  denied  { read } for  pid=4724 comm="osa-dispatcher" name="osa-dispatcher.pid" dev=dm-0 ino=843934 scontext=unconfined_u:system_r:osa_dispatcher_t:s0 tcontext=unconfined_u:object_r:osa_dispatcher_var_run_t:s0 tclass=file

issue was addressed in Spacewalk repo, master, b5495e93327076e60a7667e6491ead05d6528673.

(In reply to comment #3)
> The AVC denial
> 
> Jul 28 14:31:31 sw2 kernel: type=1400 audit(1248802291.037:11): avc:  denied  {
> execute } for  pid=4714 comm="osa-dispatcher" name="bash" dev=dm-0 ino=442460
> scontext=unconfined_u:system_r:osa_dispatcher_t:s0
> tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

Note to self -- the complete list of AVC denials for this issue, from Permissive machine, is

type=AVC msg=audit(1249310665.197:257): avc:  denied  { execute } for  pid=4228 comm="osa-dispatcher" name="bash" dev=dm-0 ino=915243 scontext=unconfined_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1249310665.197:257): avc:  denied  { read } for  pid=4228 comm="osa-dispatcher" name="bash" dev=dm-0 ino=915243 scontext=unconfined_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1249310665.197:257): avc:  denied  { execute_no_trans } for  pid=4228 comm="osa-dispatcher" path="/bin/bash" dev=dm-0 ino=915243 scontext=unconfined_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
type=AVC msg=audit(1249310665.204:258): avc:  denied  { getattr } for  pid=4228 comm="sh" path="/bin/bash" dev=dm-0 ino=915243 scontext=unconfined_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

Spacewalk 0.6 released