171288 – up2date using console helper going from U1->U2 uses deprecated sysadm_r role

Bug 171288 - up2date using console helper going from U1->U2 uses deprecated sysadm_r role

Summary: up2date using console helper going from U1->U2 uses deprecated sysadm_r role

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	selinux-policy-targeted
Sub Component:
Version:	4.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	168429
TreeView+	depends on / blocked

Reported:	2005-10-20 13:35 UTC by Jeff Needle
Modified:	2007-11-30 22:07 UTC (History)
CC List:	1 user (show)
Fixed In Version:	RHBA-2006-0049
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-03-07 18:13:05 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2006:0049	0	qe-ready	SHIPPED_LIVE	selinux-policy bug fix update	2006-03-06 05:00:00 UTC

Description Jeff Needle 2005-10-20 13:35:31 UTC

Description of problem:

Running up2date as a normal user will bring up consolehelper.  consolehelper
contains "ROLE=sysadm_r".  This has been removed in U2.  The result is that
scriplets fail when trying to restart services.

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. Run up2date on a U1 system as a regular user
2. Enter root password when consolehelper requests it
3. Wait and watch.
  
Actual results:
error: %postun(at-3.1.8-60.x86_64) scriptlet failed, exit status 126
error: %postun(dbus-0.22-12.EL.2.i386) scriptlet failed, exit status 126
error: %postun(dbus-0.22-12.EL.2.x86_64) scriptlet failed, exit status 126
error: %postun(iiimf-server-12.1-13.EL.x86_64) scriptlet failed, exit status
126/var/tmp/rpm-tmp.46816: /etc/rc.d/init.d/rpcidmapd: /bin/bash: bad
interpreter:Permission denied
/var/tmp/rpm-tmp.46816: /etc/rc.d/init.d/rpcgssd: /bin/bash: bad interpreter:
Permission denied
/var/tmp/rpm-tmp.46816: /etc/rc.d/init.d/rpcsvcgssd: /bin/bash: bad interpreter:
Permission denied
/var/tmp/rpm-tmp.46816: /etc/rc.d/init.d/nfs: /bin/sh: bad interpreter:
Permission denied
error: %postun(nfs-utils-1.0.6-46.x86_64) scriptlet failed, exit status 126
error: %postun(samba-3.0.10-1.4E.x86_64) scriptlet failed, exit status 126
error: %postun(vixie-cron-4.1-20_EL.x86_64) scriptlet failed, exit status 126
error: %postun(xinetd-2.3.13-4.4E.x86_64) scriptlet failed, exit status 126

and after: 

# ps -eZ | grep sysadm
root:sysadm_r:unconfined_t      29623 ?        00:00:00 rhnsd
root:sysadm_r:unconfined_t      18201 ?        00:00:00 sshd
root:sysadm_r:unconfined_t        405 ?        00:00:00 sshd


Expected results:
Joy, happiness, and world peace.  And properly restarted services.

Additional info:
dmesg and full up2date transcript available upon request, but this is pretty
straight forward.

Comment 1 Jeff Needle 2005-10-20 13:36:52 UTC

Above should read /etc/security/console.apps/up2date contains "ROLE=sysadm_r".

Comment 2 Daniel Walsh 2005-10-20 13:39:28 UTC

Added role sysadm_r types initrc_t which will allow rpm to run init scripts.

Policy update in -1.17.30-2.115

Comment 7 Red Hat Bugzilla 2006-03-07 18:13:06 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0049.html

Note You need to log in before you can comment on or make changes to this bug.