Bug 1227507
| Summary: | Spacewalk and SELinux seem to be lacking proper context for socket operations | ||
|---|---|---|---|
| Product: | [Community] Spacewalk | Reporter: | R P Herrold <herrold> |
| Component: | Server | Assignee: | Tomas Lestach <tlestach> |
| Status: | CLOSED NOTABUG | QA Contact: | Red Hat Satellite QA List <satqe-list> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 2.2 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-06-03 07:24:32 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1484117 | ||
I'm closing this bug for 2 reasons: * SELinux rules for Monitoring has always been released as Technology Preview, even the last Red Hat Satellite documentation says that: https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/5.7/html/Release_Notes/chap-Red_Hat_Satellite-Release_Notes-Tech_Preview.html * monitoring has been completely removed from Spacewalk, see Spacewalk 2.3 Release Notes: https://fedorahosted.org/spacewalk/wiki/ReleaseNotes23#FeaturesEnhancementsinSpacewalk2.3 This BZ closed some time during 2.5, 2.6 or 2.7. Adding to 2.7 tracking bug. |
Description of problem: The Spacewalk suite and SELinux seem to only be partiallly SELinux supported Version-Release number of selected component (if applicable): CentOS 6 and EPEL updated to current How reproducible: Run the tools in Enforcing mode Steps to Reproduce: no outside actions in play Actual results: type=1400 audit(1433275724.898:1660): avc: denied { write } for pid=1270 comm="notif-launcher" name="escsock" dev=vda1 ino=405791 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file type=1400 audit(1433275725.519:1661): avc: denied { write } for pid=1289 comm="notifier" name="escsock" dev=vda1 ino=405791 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file type=1400 audit(1433275725.899:1662): avc: denied { write } for pid=1270 comm="notif-launcher" name="escsock" dev=vda1 ino=405791 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file type=1400 audit(1433275726.520:1663): avc: denied { write } for pid=1289 comm="notifier" name="escsock" dev=vda1 ino=405791 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file type=1400 audit(1433275726.900:1664): avc: denied { write } for pid=1270 comm="notif-launcher" name="escsock" dev=vda1 ino=405791 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file type=1400 audit(1433275727.521:1665): avc: denied { write } for pid=1289 comm="notifier" name="escsock" dev=vda1 ino=405791 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file type=1400 audit(1433275727.903:1666): avc: denied { write } for pid=1270 comm="notif-launcher" name="escsock" dev=vda1 ino=405791 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file type=1400 audit(1433275728.521:1667): avc: denied { write } for pid=1289 comm="notifier" name="escsock" dev=vda1 ino=405791 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file type=1400 audit(1433275728.904:1668): avc: denied { write } for pid=1270 comm="notif-launcher" name="escsock" dev=vda1 ino=405791 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file type=1400 audit(1433275729.522:1669): avc: denied { write } for pid=1289 comm="notifier" name="escsock" dev=vda1 ino=405791 scontext=system_u:system_r:spacewalk_monitoring_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file environment [root@spacewalk1 ~]# history 1 Jun 02 12:10 history 2 Jun 02 12:10 dmesg | tail 3 Jun 02 12:11 rpm -qa space\* \*selinux\* 4 Jun 02 12:11 cat /etc/redhat-release 5 Jun 02 12:11 yum -y upgrade 6 Jun 02 15:50 yum clean all 7 Jun 02 15:50 history | tail 8 Jun 02 15:50 > .bash_history 9 Jun 02 15:50 touch /.autorelabel 10 Jun 02 15:50 reboot 11 Jun 02 16:08 w 12 Jun 02 16:08 dmesg 13 Jun 02 16:08 history [root@spacewalk1 ~]# rpm -qa space\* | sort spacewalk-admin-2.2.5-1.el6.noarch spacewalk-backend-2.2.43-1.el6.noarch spacewalk-backend-app-2.2.43-1.el6.noarch spacewalk-backend-applet-2.2.43-1.el6.noarch spacewalk-backend-config-files-2.2.43-1.el6.noarch spacewalk-backend-config-files-common-2.2.43-1.el6.noarch spacewalk-backend-config-files-tool-2.2.43-1.el6.noarch spacewalk-backend-iss-2.2.43-1.el6.noarch spacewalk-backend-iss-export-2.2.43-1.el6.noarch spacewalk-backend-libs-2.2.43-1.el6.noarch spacewalk-backend-package-push-server-2.2.43-1.el6.noarch spacewalk-backend-server-2.2.43-1.el6.noarch spacewalk-backend-sql-2.2.43-1.el6.noarch spacewalk-backend-sql-postgresql-2.2.43-1.el6.noarch spacewalk-backend-tools-2.2.43-1.el6.noarch spacewalk-backend-xml-export-libs-2.2.43-1.el6.noarch spacewalk-backend-xmlrpc-2.2.43-1.el6.noarch spacewalk-base-2.2.33-1.el6.noarch spacewalk-base-minimal-2.2.33-1.el6.noarch spacewalk-base-minimal-config-2.2.33-1.el6.noarch spacewalk-branding-2.2.5-1.el6.noarch spacewalk-certs-tools-2.2.1-1.el6.noarch spacewalk-common-2.2.2-1.el6.noarch spacewalk-config-2.2.2-1.el6.noarch spacewalk-doc-indexes-2.2.2-1.el6.noarch spacewalk-grail-2.2.33-1.el6.noarch spacewalk-html-2.2.33-1.el6.noarch spacewalk-java-2.2.126-1.el6.noarch spacewalk-java-config-2.2.126-1.el6.noarch spacewalk-java-lib-2.2.126-1.el6.noarch spacewalk-java-postgresql-2.2.126-1.el6.noarch spacewalk-jpp-workaround-2.2.3-1.el6.noarch spacewalk-monitoring-2.2.1-1.el6.noarch spacewalk-monitoring-selinux-2.2.1-1.el6.noarch spacewalk-postgresql-2.2.2-1.el6.noarch spacewalk-pxt-2.2.33-1.el6.noarch spacewalk-repo-2.2-1.el6.noarch spacewalk-schema-2.2.33-1.el6.noarch spacewalk-search-2.2.8-1.el6.noarch spacewalk-selinux-2.2.1-1.el6.noarch spacewalk-setup-2.2.13-1.el6.noarch spacewalk-setup-jabberd-2.0.1-1.el6.noarch spacewalk-setup-postgresql-2.2.2-1.el6.noarch spacewalk-slf4j-1.6.1-6.el6.noarch spacewalk-sniglets-2.2.33-1.el6.noarch spacewalk-taskomatic-2.2.126-1.el6.noarch [root@spacewalk1 ~]# Expected results: SELinux errors should not appear for normal operations Additional info: no doubt this is known, but this is a confirmatory bug