Bug 627984

Summary: Unconfined jabberd in Spacewalk 1.1
Product: [Community] Spacewalk Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: ServerAssignee: Jan Pazdziora (Red Hat) <jpazdziora>
Status: CLOSED CURRENTRELEASE QA Contact: Martin Minar <mminar>
Severity: medium Docs Contact:
Priority: high    
Version: 1.1CC: mkoci, mminar
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jabberd-selinux-1.5.1-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 634220 (view as bug list) Environment:
Last Closed: 2010-11-19 16:16:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 628495    
Bug Blocks: 556787, 623772, 634220    

Description Jan Pazdziora (Red Hat) 2010-08-27 15:06:37 UTC 
Description of problem:

With fresh installation of Spacewalk 1.1 on RHEL 5.5, the jabberd processes do not seem to be properly confined.

Version-Release number of selected component (if applicable):

# rpm -qa | grep jabber | sort
jabberd-2.2.8-2.el5
jabberd-selinux-1.4.8-1.el5
jabberpy-0.5-0.17.el5
spacewalk-setup-jabberd-1.1.1-1.el5
# semodule -l | grep jabber
jabber	1.4.8.1

How reproducible:

Deterministic.

Steps to Reproduce:
1. Install Spacewalk 1.1.
2. Run /bin/ps -eZ | /bin/egrep "initrc"
  
Actual results:

# /bin/ps -eZ | /bin/egrep "initrc"
system_u:system_r:initrc_t       2743 ?        00:00:00 router
system_u:system_r:initrc_t       2767 ?        00:00:00 sm
system_u:system_r:initrc_t       2791 ?        00:00:00 c2s
system_u:system_r:initrc_t       2815 ?        00:00:00 s2s
system_u:system_r:initrc_t       2878 ?        00:00:00 rhnsearchd
system_u:system_r:initrc_t       2926 ?        00:00:00 rhnsd
system_u:system_r:initrc_t       3092 ?        00:00:00 cobblerd
system_u:system_r:initrc_t       3155 ?        00:00:00 taskomaticd

Expected results:

The router, sm, c2s, and s2s processes should be running as jabberd_t, not initrc_t.

Additional info:

The issue is caused by the fact that we have moved to jabberd 2.2 and presumably something is different there.
Comment 1 Jan Pazdziora (Red Hat) 2010-08-27 15:07:46 UTC 
We probably should just take the policy from latest Fedoras to match the version of the policy to the version of the jabberd.
Comment 2 Jan Pazdziora (Red Hat) 2010-08-30 08:46:49 UTC 
Filed Fedora selinux-policy bug 628495 as we want to mimick as much of the policy as possible, and on Fedoras we use the stock policy module for jabberd anyway.
Comment 3 Jan Pazdziora (Red Hat) 2010-09-24 13:34:46 UTC 
Fixed in Spacewalk master, commits 508c7dff89e29179e76e7380bd9e1bc6e2d22e10, b1beb36b00cbafc5e0cde00762484927e7af0a9c, c9d9353744d6a92e9e1d2b2ec6d8fad1b55c566c, and 67e9553fda810deb24464b8d98cd932dd37bcd18.

Tagged and built as jabberd-selinux-1.5.1-1.
Comment 4 Martin Minar 2010-09-30 12:24:54 UTC 
Verified in today's nightly. 
Note:
Correction from bug 628495 solved the problem for F13.
Comment 5 Jan Pazdziora (Red Hat) 2010-10-04 10:03:19 UTC 
(In reply to comment #4)
> Verified in today's nightly. 
> Note:
> Correction from bug 628495 solved the problem for F13.

Martin, please note that on Fedora 13, the jabberd SELinux module is in the core distribution. On RHEL 5 we ship the jabberd-selinux package and we'd need to verify that this RHEL 5 fix works properly.
Comment 8 Jan Pazdziora (Red Hat) 2010-11-19 16:16:38 UTC 
With Spacewalk 1.2 released, marking as CLOSED CURRENTRELEASE.

https://www.redhat.com/archives/spacewalk-list/2010-November/msg00111.html