Bug 619654
Summary: | SELinux is preventing /usr/bin/python "write" access on /var/spool/up2date/loginAuth.pkl. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Ladar Levison <ladar> |
Component: | rhn-client-tools | Assignee: | Milan Zázrivec <mzazrivec> |
Status: | CLOSED DUPLICATE | QA Contact: | Red Hat Satellite QA List <satqe-list> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 6.0 | CC: | ddumas, dvlasenk, dwalsh, gavin, james.antill, jmoskovc, kklic, msuchy, mzazrivec, notting, npajkovs, syeghiay |
Target Milestone: | rc | Keywords: | RHELNAK |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | setroubleshoot_trace_hash:153bf3545e4fb6d251abcf0c0fbf12ede825c8686981edce50299d05a4b2c3b4 | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-08-09 17:28:59 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ladar Levison
2010-07-30 04:36:54 UTC
This issue has been proposed when we are only considering blocker issues in the current Red Hat Enterprise Linux release. ** If you would still like this issue considered for the current release, ask your support representative to file as a blocker on your behalf. Otherwise ask that it be considered for the next Red Hat Enterprise Linux release. ** What is /var/spool/up2date/loginAuth.pkl? Is this a log file where you have all apps being updated having their stdout pointing at it? Or is this a leaked file descriptor? /var/spool/up2date/loginAuth.pkl is a pickle file which caches authentication information for connecting to RHN, RHN Satellite or Spacewalk. The file is being used by every process (via rhnlib or rhn-client-tools libraries) trying to authenticate with RHN, such as rhn_check or in this case yum (which has yum-rhn-plugin enabled). Is there something that we (as in the owners of the rhn-client-tools / yum-rhn-plugin code) can do to resolve the problem? Open it for append instead of write. This essentially is the same problem as bug #619653 Yes and no. We can set the labeling correct, but the tool should not be opening a log file as write and then passing the open descriptor to lots of other commands. If the confined commands have write, they can truncate the log file. If they have append they can only add data to the end of the log file. So should this be assigned to rhn-client-tools? (In reply to comment #8) > So should this be assigned to rhn-client-tools? No. There's nothing to fix in the land of rhn-client-tools really. /var/spool/up2date/loginAuth.pkl is not a log file and cannot be opened in append mode. The file is either being opened for read when yum (or yum-rhn-plugin) needs to get the authentication information or in write mode when the file needs to be truncated and its content replaced with new authentication info (for example when the old authentication info expires). So it's sort of a cookie mechanism. This really is a matter of selinux policy (or labeling) and looking at the solution for bug #619653 I see /var/spool/up2date/loginAuth.pkl already got rpm_var_cache_t context which will allow write for abrt_t (among others). In another words, solution for bug #619653 also effectively solves problem of this bug and as such I suggest to close this bug as a duplicate of #619653 (unless somebody objects). Closing based on ^^^ *** This bug has been marked as a duplicate of bug 619653 *** |