Bug 1227507 - Spacewalk and SELinux seem to be lacking proper context for socket operations
Summary: Spacewalk and SELinux seem to be lacking proper context for socket operations
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Spacewalk
Classification: Community
Component: Server
Version: 2.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Tomas Lestach
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks: space27
TreeView+ depends on / blocked
 
Reported: 2015-06-02 20:21 UTC by R P Herrold
Modified: 2017-09-28 18:08 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-06-03 07:24:32 UTC
Embargoed:

Attachments (Terms of Use)

Description R P Herrold 2015-06-02 20:21:23 UTC 
Description of problem:

The Spacewalk suite and SELinux seem to only be partiallly SELinux supported

Version-Release number of selected component (if applicable):

CentOS 6 and EPEL updated to current

How reproducible:

Run the tools in Enforcing mode

Steps to Reproduce:

no outside actions in play

Actual results:
   
type=1400 audit(1433275724.898:1660): avc:  denied  { write } for  pid=1270 comm="notif-launcher" name="escsock" dev=vda1 ino=405791 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file  
type=1400 audit(1433275725.519:1661): avc:  denied  { write } for  pid=1289 comm="notifier" name="escsock" dev=vda1 ino=405791 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file        
type=1400 audit(1433275725.899:1662): avc:  denied  { write } for  pid=1270 comm="notif-launcher" name="escsock" dev=vda1 ino=405791 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file  
type=1400 audit(1433275726.520:1663): avc:  denied  { write } for  pid=1289 comm="notifier" name="escsock" dev=vda1 ino=405791 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file        
type=1400 audit(1433275726.900:1664): avc:  denied  { write } for  pid=1270 comm="notif-launcher" name="escsock" dev=vda1 ino=405791 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file  
type=1400 audit(1433275727.521:1665): avc:  denied  { write } for  pid=1289 comm="notifier" name="escsock" dev=vda1 ino=405791 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file        
type=1400 audit(1433275727.903:1666): avc:  denied  { write } for  pid=1270 comm="notif-launcher" name="escsock" dev=vda1 ino=405791 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file  
type=1400 audit(1433275728.521:1667): avc:  denied  { write } for  pid=1289 comm="notifier" name="escsock" dev=vda1 ino=405791 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file        
type=1400 audit(1433275728.904:1668): avc:  denied  { write } for  pid=1270 comm="notif-launcher" name="escsock" dev=vda1 ino=405791 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file  
type=1400 audit(1433275729.522:1669): avc:  denied  { write } for  pid=1289 comm="notifier" name="escsock" dev=vda1 ino=405791 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file        

environment

[root@spacewalk1 ~]# history                                                    
    1  Jun 02 12:10 history                                                     
    2  Jun 02 12:10 dmesg | tail                                                
    3  Jun 02 12:11 rpm -qa space\* \*selinux\*                                 
    4  Jun 02 12:11 cat /etc/redhat-release                                     
    5  Jun 02 12:11 yum -y upgrade                                              
    6  Jun 02 15:50 yum clean all                                               
    7  Jun 02 15:50 history | tail                                              
    8  Jun 02 15:50 > .bash_history                                             
    9  Jun 02 15:50  touch /.autorelabel                                        
   10  Jun 02 15:50 reboot                                                      
   11  Jun 02 16:08 w                                                           
   12  Jun 02 16:08 dmesg                                                       
   13  Jun 02 16:08 history                                                     
[root@spacewalk1 ~]# rpm -qa space\* | sort                                     
spacewalk-admin-2.2.5-1.el6.noarch                                              
spacewalk-backend-2.2.43-1.el6.noarch                                           
spacewalk-backend-app-2.2.43-1.el6.noarch                                       
spacewalk-backend-applet-2.2.43-1.el6.noarch                                    
spacewalk-backend-config-files-2.2.43-1.el6.noarch                              
spacewalk-backend-config-files-common-2.2.43-1.el6.noarch                       
spacewalk-backend-config-files-tool-2.2.43-1.el6.noarch                         
spacewalk-backend-iss-2.2.43-1.el6.noarch                                       
spacewalk-backend-iss-export-2.2.43-1.el6.noarch                                
spacewalk-backend-libs-2.2.43-1.el6.noarch                                      
spacewalk-backend-package-push-server-2.2.43-1.el6.noarch                       
spacewalk-backend-server-2.2.43-1.el6.noarch                                    
spacewalk-backend-sql-2.2.43-1.el6.noarch                                       
spacewalk-backend-sql-postgresql-2.2.43-1.el6.noarch                            
spacewalk-backend-tools-2.2.43-1.el6.noarch                                     
spacewalk-backend-xml-export-libs-2.2.43-1.el6.noarch                           
spacewalk-backend-xmlrpc-2.2.43-1.el6.noarch                                    
spacewalk-base-2.2.33-1.el6.noarch                                              
spacewalk-base-minimal-2.2.33-1.el6.noarch                                      
spacewalk-base-minimal-config-2.2.33-1.el6.noarch                               
spacewalk-branding-2.2.5-1.el6.noarch                                           
spacewalk-certs-tools-2.2.1-1.el6.noarch                                        
spacewalk-common-2.2.2-1.el6.noarch                                             
spacewalk-config-2.2.2-1.el6.noarch
spacewalk-doc-indexes-2.2.2-1.el6.noarch
spacewalk-grail-2.2.33-1.el6.noarch
spacewalk-html-2.2.33-1.el6.noarch
spacewalk-java-2.2.126-1.el6.noarch
spacewalk-java-config-2.2.126-1.el6.noarch
spacewalk-java-lib-2.2.126-1.el6.noarch
spacewalk-java-postgresql-2.2.126-1.el6.noarch
spacewalk-jpp-workaround-2.2.3-1.el6.noarch
spacewalk-monitoring-2.2.1-1.el6.noarch
spacewalk-monitoring-selinux-2.2.1-1.el6.noarch
spacewalk-postgresql-2.2.2-1.el6.noarch
spacewalk-pxt-2.2.33-1.el6.noarch
spacewalk-repo-2.2-1.el6.noarch
spacewalk-schema-2.2.33-1.el6.noarch
spacewalk-search-2.2.8-1.el6.noarch
spacewalk-selinux-2.2.1-1.el6.noarch
spacewalk-setup-2.2.13-1.el6.noarch
spacewalk-setup-jabberd-2.0.1-1.el6.noarch
spacewalk-setup-postgresql-2.2.2-1.el6.noarch
spacewalk-slf4j-1.6.1-6.el6.noarch
spacewalk-sniglets-2.2.33-1.el6.noarch
spacewalk-taskomatic-2.2.126-1.el6.noarch
[root@spacewalk1 ~]#

Expected results:

SELinux errors should not appear for normal operations

Additional info:

no doubt this is known, but this is a confirmatory bug
Comment 1 Tomas Lestach 2015-06-03 07:24:32 UTC 
I'm closing this bug for 2 reasons:
* SELinux rules for Monitoring has always been released as Technology Preview, even the last Red Hat Satellite documentation says that:
https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/5.7/html/Release_Notes/chap-Red_Hat_Satellite-Release_Notes-Tech_Preview.html
* monitoring has been completely removed from Spacewalk, see Spacewalk 2.3 Release Notes:
https://fedorahosted.org/spacewalk/wiki/ReleaseNotes23#FeaturesEnhancementsinSpacewalk2.3
Comment 2 Eric Herget 2017-09-28 18:08:43 UTC 
This BZ closed some time during 2.5, 2.6 or 2.7.  Adding to 2.7 tracking bug.
Note You need to log in before you can comment on or make changes to this bug.