Bug 644985
Summary: | SELinux context cleared from RHEL4 rhncfg-client | ||
---|---|---|---|
Product: | Red Hat Satellite 5 | Reporter: | Partha Aji <paji> |
Component: | Configuration Management | Assignee: | Lukas Zapletal <lzap> |
Status: | CLOSED ERRATA | QA Contact: | Jiri Kastner <jkastner> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 540 | CC: | cperry, jkastner, lzap, msuchy, mzazrivec, pnovotny |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | spacewalk-backend-1.2.13-17 rhncfg-5.9.27-6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | 643157 | Environment: | |
Last Closed: | 2011-03-07 09:23:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 646488 |
Comment 1
Tomas Lestach
2010-10-21 06:52:46 UTC
This is clone of a bug, the report is by pnovotny: SELinux context is *not* ignored when you upload the conf. channel back onto server. What is the problem: 1. create config channel with 1 file and 1 symlink, set the SELinux context to 'root:object_r:unconfined_t' 2. download the channel to client machine with 'rhncfg-manager download-channel ...' -> it has different SELinux context on client's FS than specified in WebUI - this is ok, it is correctly ignored 3. upload it back with 'rhncfg-manager upload-channel ...' and check the file detail in WebUI -> you find out that field "SELinux context" is empty now!! It should contain original value 'root:object_r:unconfined_t'! How to reproduce it: [root@dell-xxx-01 tmp]# rhncfg-client elist Mode Owner Group Size Rev Config Channel File -rw-r--r-- root root 39 5 conf-channel-001 /tmp/config.cfg *0 2 conf-channel-001 /tmp/config.cfg.ln -> /tmp/config.cfg [root@dell-xxx-01 tmp]# rhncfg-manager download-channel conf-channel-001 -t /tmp/ Deploying /tmp/config.cfg -> /tmp/conf-channel-001/tmp/config.cfg Deploying /tmp/config.cfg.ln -> /tmp/conf-channel-001/tmp/config.cfg.ln [root@dell-xxx-01 tmp]# ll -Z conf-channel-001/tmp/ -rw-r--r-- root root root:object_r:tmp_t config.cfg lrwxrwxrwx root root root:object_r:tmp_t config.cfg.ln -> /tmp/config.cfg [root@dell-xxx-01 tmp]# rhncfg-manager upload-channel conf-channel-001 -t /tmp/ Using config channel conf-channel-001 Uploading /tmp/config.cfg from /tmp/conf-channel-001/tmp/config.cfg Uploading /tmp/config.cfg.ln from /tmp/conf-channel-001/tmp/config.cfg.ln The problem has two sides: a) rhel4 client When the client receives a config file with selinux it ignores this flag. During pushing new version of this flag it sends empty string in it. b) backend server: Upon reception the server search for rhnFileInfo record (permissions, settings, selinux context) but since the rhel4 client sent empty context it does not find any and create a new one. The file version is bumped then with the new file information containing empty selinux. My suggested solution is: a) Modify the client code not to send empty string if selinux is not supported by the client (e.g. rhel4) b) Modify the server code: - if there is no selinux incoming - search for previous version of the incoming file - get the last selinux - proceed with this selinux flag set After some discussion with Jan P. I am extending the client statement to: a) Modify the client code not to send empty string if selinux is not supported by the client (e.g. rhel4) or disabled (e.g. on rhel5/6) commit 86e5dc777e94dcb724217cb8edd273a4adabe395 Author: Lukas Zapletal <lzap+git> Date: Fri Nov 26 09:58:45 2010 +0100 644985 - SELinux context cleared from RHEL4 rhncfg-client Tested on RHEL4 and also RHEL5/6 with disabled SELinux (cherry picked from commit 274465b3a0872ff3d69cf36c1428fbd86bf269e7) Fixed in: spacewalk-backend-1.2.13-17 rhncfg-5.9.27-5 selinux context not cleared, when uploaded configuration file from RHEL4 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0323.html |