+++ This bug was initially created as a clone of Bug #1003459 +++ Description of problem: rhncfg-client verify and WebUI compare displays different results for selinux context if selinux is disabled on client server. from cli it doesnt check weather selinux is enabled or not on the target system, but for GUI results it check for selinux status. So if selinux is disabled on client server, it end up with different results. For GUI results it always pass actual value as blank [] so always displays differences exists, but from client it takes actual value of selinux context weather its disabled or not. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Add a file in a config channel and set selinux context. 2. Deploy file on client server rhncfg-client get 3. disable selinux on client 4. Now schedule compare from GUI. 5. From cli run rhncfg-client verify Actual results: Using GUI its always displays differences exist in this case, but different results from client side Expected results: Both results should be same Additional info: --- Additional comment from Neha on 2013-09-02 01:56:43 EDT --- For GUI "file_utils.py": try: cur_sectx = lgetfilecon(path)[1] except OSError: # workarounding BZ 690238 cur_sectx = None if not is_selinux_enabled(): cur_sectx = None if cur_sectx == None: cur_sectx = '' if file_struct.has_key('selinux_ctx') and file_struct['selinux_ctx']: if cur_sectx != file_struct['selinux_ctx']: sectx_result = "SELinux contexts differ: actual: [%s], expected: [%s]\n" % (cur_sectx, file_struct['selinux_ctx']) Here is selinux is disabled sending actual value as blank "" if not is_selinux_enabled(): cur_sectx = None Regards, Neha --- Additional comment from Neha on 2013-09-02 01:57:32 EDT --- --- Additional comment from Neha on 2013-09-02 03:05:23 EDT --- ++ Related BZ# 1002880 ++ Thanks, Neha --- Additional comment from Milan Zazrivec on 2013-09-05 08:50:31 EDT --- spacewalk.git master: 0dac0283cb9e285c3491a70b0a7c2c7490fabf3b --- Additional comment from Matej Kollar on 2014-01-17 07:16:13 EST --- Switching MODIFIED Spacewalk bugs to ON_QA before 2.1 release. --- Additional comment from Matej Kollar on 2014-03-04 08:08:26 EST --- Spacewalk 2.1 has been released. https://fedorahosted.org/spacewalk/wiki/ReleaseNotes21 --- Additional comment from Matej Kollar on 2014-03-04 08:09:07 EST --- Spacewalk 2.1 has been released. https://fedorahosted.org/spacewalk/wiki/ReleaseNotes21
I think I fixed it in wrong way. From GUI its chekcing for selinux status and passing blank value so always displays as difference exists. Ideally its should match with original value and should display correct results in respective of selinux is disabled or not. As per above fix we changed client code to make it compatible to GUI however it should be vice versa. I will submit patch for this. ~ Neha
before fix-> rhncfg-client verify /root/t5 Using server name fqdn /root/t5 webUI: SELinux contexts differ: actual: [], expected: [root:object_r:user_home_t] After fix-> rhncfg-client verify /root/t5 Using server name <fqdn> selinux /root/t5 webUI: SELinux contexts differ: actual: [], expected: [root:object_r:user_home_t] However orginal context is same as defined in satellite config file, but its always passing context value as blank because selinux is diabled. SO i think here no need to check weather selinux is disabled or not. It should display correct comparison results ls -lZ /root/t5 ----------. root root root:object_r:user_home_t /root/t5 There can be two conditions: 1] Either display correct comapre results 2] Dont compare context if selinux is disabled Please let me know your views on this. I have submitted pull request for first one: https://github.com/spacewalkproject/spacewalk/pull/109 ~ Neha
According to current pull request: If difference exists: rhncfg-client verify /root/t5 Using server name fqdn selinux /root/t5 SELinux contexts differ: actual: [root:object_r:user_home_t], expected: [root:object_r:user_home] If not: rhncfg-client verify /root/t5 Using server name fqdn /root/t5 No differences
Hi Neha, After investigating I agree with you, we "fixed" this inconsistancy the wrong way in Bug 1003459. The correct thing to do is to always display and diff the file's SELinux context, regardless of if SELinux is disabled or not. The 'rhncfg-client verify' had the correct behavior before, the webui did not. What we did was make the client do the same thing the webui was doing, but we need to do it the other way around. Committing your pull request to Spacewalk master: 7fb7a83b43819e76d983cdae971dd6a40f1743e2 In order to make this work really well I'm fixing it in another place and ensuring that the webui won't show diffs as existing when they do not: 034643136cbef349ab9517f5cb84f0148cbeb345 See https://bugzilla.redhat.com/show_bug.cgi?id=644985#c6 for where this behavior originated. However in the interim things have been fixed the correct way, ie rhncfg-manager channel-download now correctly sets the SELinux contexts, so this work-around is no longer necessary.
Moving bugs to ON_QA as we move to release Spacewalk 2.3
Spacewalk 2.3 has been released. See https://fedorahosted.org/spacewalk/wiki/ReleaseNotes23