| Summary: | Multiple jabberd_t - related denials | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Milan Zázrivec <mzazrivec> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED ERRATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 6.1 | CC: | dwalsh, jpazdziora, ksrot, mgrepl, slukasik | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.7.19-69.el6 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-05-19 11:57:28 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
Milane, how is labeled c2s? # ls -lZ `which c2s` # matchpathcon `which c2s` (In reply to comment #2) > Milane, > how is labeled c2s? > > # ls -lZ `which c2s` # ls -lZ `which c2s` -rwxr-xr-x. root root system_u:object_r:jabberd_exec_t:s0 /usr/bin/c2s > # matchpathcon `which c2s` # matchpathcon `which c2s` /usr/bin/c2s system_u:object_r:jabberd_exec_t:s0 This is wrong. Is it a new installation? This was a RHEL-6.0 installation, Spacewalk 1.3 installed on it, yum upgrade to latest RHEL-6.1 nightly. Correcting the component. grep c2s policy-F13.patch +/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0) Looks like RHEL6.1 policy should have this labeled jabberd_router_exec_t? Are you sure you have the updated 6.1 policy? Yes, RHEL6 has definitely a new jabberd policy. I had stock RHEL-6.0 installed, Spacewalk 1.3 installed and then upgraded to latest RHEL-6.1 (including the latest selinux-policy). The problem here (I think) is that the updated policy base module loading failed during the package upgrade: 1:selinux-policy ########################################### [ 50%] 2:selinux-policy-targeted########################################### [100%] libsepol.scope_copy_callback: oracle-nofcontext: Duplicate declaration in module: type/attribute oracle_port_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! and currently I still see: # grep c2s /etc/selinux/targeted/contexts/files/file_contexts /usr/bin/c2s -- system_u:object_r:jabberd_exec_t:s0 Spacewalk comes with its own oracle selinux policy module, which already defined oracle_port_t type. Yes I was talking with adelton yesterday about this very issue. Miroslav did you read the discussion? I think we are going to have to rename our port to oracledb_port_T for the time being. (In reply to comment #10) > I had stock RHEL-6.0 installed, Spacewalk 1.3 installed and then upgraded > to latest RHEL-6.1 (including the latest selinux-policy). > > The problem here (I think) is that the updated policy base module loading > failed during the package upgrade: > > 1:selinux-policy ########################################### [ 50%] > 2:selinux-policy-targeted########################################### [100%] > libsepol.scope_copy_callback: oracle-nofcontext: Duplicate declaration in > module: type/attribute oracle_port_t (No such file or directory). > libsemanage.semanage_link_sandbox: Link packages failed (No such file or > directory). > semodule: Failed! Heya Milan, please try to install RHEL 6.1 selinux-policy-targeted before installing Spacewalk, and then install oracle-nofcontext-selinux from https://koji.spacewalkproject.org/koji/buildinfo?buildID=20959. It addresses the oracle_port_t issue. Fixed in selinux-policy-3.7.19-69.el6 Note: Spacewalk-nightly installation test has been changed to remove jabberd-selinux-workaround when having selinux-policy equal or newer to 3.7.19-69.el6 http://cvs.devel.redhat.com/cgi-bin/cvsweb.cgi/tests/RHN-Satellite/rhn-satellite-install.sh.diff?r1=1.269;r2=1.272;f=h An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0526.html |
Created attachment 475605 [details] grep denied /var/log/audit/audit.log Description of problem: jabberd (from EPEL), when setup to work with Spacewalk and osa-dispatcher on latest RHEL-6 system, produces multiple SELinux jabberd_t - related denials. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.7.19-67.el6 / jabberd-2.2.11-3.el6 How reproducible: Always Steps to Reproduce: 1. Install RHEL-6.1 + Spacewalk 1.3 2. Register a client to your Spacewalk, have osad running on it, use it 3. On the Spacewalk machine: grep denied /var/log/audit/audit.log Actual results: Multiple SELinux denials, see attachment. Expected results: No denials, jabberd is working as expected. Additional info: In RHEL-5, we (as in Spacewalk) used to maintain and ship our own jabber policy module. Since RHEL-6 (and certain version of Fedora), the jabber policy module is contained in selinux-policy. Rigorous fix for the problem should land in selinux-policy.