Bug 543684

Summary: rhncfg-{client,manager} fail under strict selinux policy
Product: [Community] Spacewalk Reporter: Joshua Roys <roysjosh>
Component: ClientsAssignee: Jan Pazdziora (Red Hat) <jpazdziora>
Status: CLOSED WORKSFORME QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: medium Docs Contact:
Priority: low    
Version: 0.7CC: cperry, josh.kayse, jpazdziora
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-09 09:33:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 723481    

Description Joshua Roys 2009-12-02 20:49:18 UTC 
Description of problem:
rhncfg-{client,manager} are symlinks to files in /usr/share.  This gives them a usr_t context.

# ls -Z /usr/bin/rhncfg*
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/rhncfg-client -> ../../usr/share/rhn/config_client/rhncfg-client.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/rhncfg-manager -> ../../usr/share/rhn/config_management/rhncfg-manager.py
# ls -HZ /usr/bin/rhncfg*
-rwxr-xr-x  root root system_u:object_r:usr_t:s0       /usr/bin/rhncfg-client
-rwxr-xr-x  root root system_u:object_r:usr_t:s0       /usr/bin/rhncfg-manager
# rhncfg-client
-bash: /usr/bin/rhncfg-client: Permission denied
# chcon -t bin_t /usr/share/rhn/config_client/rhncfg-client.py
# rhncfg-client 
Usage: /usr/bin/rhncfg-client MODE [ --server-name name ] [ params ]


Version-Release number of selected component (if applicable):
Technically we're using the 0.6 series... and I know a lot of bugs were just switched to 0.8, so if this isn't the appropriate version feel free to move it.


How reproducible:
Install spacewalk on a machine with a strict selinux policy.  Try to run rhncfg client utilities.

  
Actual results:
avc.


Should a new rhncfg-selinux package be created?  A .fc stuck in rhncfg-{client,management}?  This needs to end up on all clients that will do config management and that will have a strict selinux policy enforced.

Thanks.
Comment 1 Milan Zázrivec 2010-08-05 10:06:08 UTC 
Couldn't the changebe that we simply move
/usr/share/rhn/config_client/rhncfg-client.py to /usr/bin/rhncfg-client
(same for rhncfg-manager), and let them have the bin_t context?
Comment 2 Jan Pazdziora (Red Hat) 2010-11-19 16:04:01 UTC 
Mass-moving to space13.
Comment 3 Miroslav Suchý 2011-04-11 07:32:41 UTC 
We did not have time for this one during Spacewalk 1.4 time frame. Mass moving to Spacewalk 1.5.
Comment 4 Miroslav Suchý 2011-04-11 07:36:53 UTC 
We did not have time for this one during Spacewalk 1.4 time frame. Mass moving to Spacewalk 1.5.
Comment 5 Jan Pazdziora (Red Hat) 2011-07-20 11:50:40 UTC 
Aligning under space16.
Comment 6 Jan Pazdziora (Red Hat) 2011-09-09 09:33:37 UTC 
What was the AVC denial exactly?

Anyway, on my RHEL 5.7 with latest rhncfg-client, I can see:

# rhncfg-client
Usage: /usr/bin/rhncfg-client MODE [ --server-name name ] [ params ]
Valid modes are:
	diff
	get
	list
	elist
	channels
	verify
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          permissive
Policy version:                 21
Policy from config file:        strict
Comment 7 Jan Pazdziora (Red Hat) 2011-09-09 09:38:52 UTC 
The package version I've tried were

rhncfg-client-5.10.14-1.el5.noarch
rhn-check-1.6.15-1.el5.noarch
rhncfg-5.10.14-1.el5.noarch
rhnlib-2.5.45-1.el5.noarch