Bug 644985

Assigning to Partha, since he worked on the original BZ and is already familiar with the problem.

This is clone of a bug, the report is by pnovotny:

SELinux context is *not* ignored when you upload the conf. channel back onto server.

What is the problem:
1. create config channel with 1 file and 1 symlink, set the SELinux context to
'root:object_r:unconfined_t' 
2. download the channel to client machine with 'rhncfg-manager download-channel
...' -> it has different SELinux context on client's FS than specified in WebUI
- this is ok, it is correctly ignored
3. upload it back with 'rhncfg-manager upload-channel ...' and check the file
detail in WebUI -> you find out that field "SELinux context" is empty now!! It
should contain original value 'root:object_r:unconfined_t'!

How to reproduce it:

[root@dell-xxx-01 tmp]# rhncfg-client elist
Mode          Owner Group          Size Rev        Config Channel    File
-rw-r--r--     root root             39   5      conf-channel-001   
/tmp/config.cfg
                                     *0   2      conf-channel-001   
/tmp/config.cfg.ln -> /tmp/config.cfg

[root@dell-xxx-01 tmp]# rhncfg-manager download-channel conf-channel-001 -t
/tmp/
Deploying /tmp/config.cfg -> /tmp/conf-channel-001/tmp/config.cfg
Deploying /tmp/config.cfg.ln -> /tmp/conf-channel-001/tmp/config.cfg.ln

[root@dell-xxx-01 tmp]# ll -Z conf-channel-001/tmp/
-rw-r--r--  root     root     root:object_r:tmp_t              config.cfg
lrwxrwxrwx  root     root     root:object_r:tmp_t              config.cfg.ln ->
/tmp/config.cfg

[root@dell-xxx-01 tmp]# rhncfg-manager upload-channel conf-channel-001 -t
/tmp/
Using config channel conf-channel-001
Uploading /tmp/config.cfg from /tmp/conf-channel-001/tmp/config.cfg
Uploading /tmp/config.cfg.ln from /tmp/conf-channel-001/tmp/config.cfg.ln

The problem has two sides:

a) rhel4 client

When the client receives a config file with selinux it ignores this flag. During pushing new version of this flag it sends empty string in it.

b) backend server:

Upon reception the server search for rhnFileInfo record (permissions, settings, selinux context) but since the rhel4 client sent empty context it does not find any and create a new one. The file version is bumped then with the new file information containing empty selinux.

My suggested solution is:

a) Modify the client code not to send empty string if selinux is not supported by the client (e.g. rhel4)

b) Modify the server code:
- if there is no selinux incoming
 - search for previous version of the incoming file
 - get the last selinux
 - proceed with this selinux flag set

After some discussion with Jan P. I am extending the client statement to:

a) Modify the client code not to send empty string if selinux is not supported
by the client (e.g. rhel4) or disabled (e.g. on rhel5/6)

commit 86e5dc777e94dcb724217cb8edd273a4adabe395
Author: Lukas Zapletal <lzap+git>
Date:   Fri Nov 26 09:58:45 2010 +0100

    644985 - SELinux context cleared from RHEL4 rhncfg-client
    
    Tested on RHEL4 and also RHEL5/6 with disabled SELinux
    
    (cherry picked from commit 274465b3a0872ff3d69cf36c1428fbd86bf269e7)

Fixed in: spacewalk-backend-1.2.13-17 rhncfg-5.9.27-5

selinux context not cleared, when uploaded configuration file from RHEL4

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0323.html