Description of problem: While investigating why osa-dispatcher produces AVC denial avc: denied { search } for pid=22398 comm="python" name="root" dev=dm-0 ino=784129 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir I found out that it is caused by the /usr/lib/librpm-4.4.so library which wants to read /root/.rpmmacros: 19641 read(11, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1547 19641 close(11) = 0 19641 munmap(0xb7fe6000, 4096) = 0 19641 stat64("/root/.rpmmacros", 0xbf83b5dc) = -1 EACCES (Permission denied) 19641 stat64("/usr/lib/rpm/init.lua", 0xbf83be3c) = -1 ENOENT (No such file or directory) 19641 close(10) = 0 19641 close(9) = 0 I wondered why the rpm library is loaded by osa-dispatcher in the first place. The chain looks like this: /usr/share/rhn/osad/osa_dispatcher.py imports rhnSQL (from server) /usr/share/rhn/server/__init__.py imports rhnHandler /usr/share/rhn/server/rhnHandler.py imports rhnServer /usr/share/rhn/server/rhnServer/__init__.py imports Server from server_class /usr/share/rhn/server/rhnServer/server_class.py imports rhn_rpm /usr/share/rhn/common/rhn_rpm.py imports rpm We'd need to break this chain somewhere. I looked at that /usr/share/rhn/server/__init__.py which has nothing but from rhnHandler import rhnHandler in it and Devan says that it is a trickery to get the rhnHandler class by magic somewhere. If I comments this line in /usr/share/rhn/server/__init__.py out, osa-dispatcher no longer gives the AVC denial, but httpd produces the following in error_log upon rhnpush: Traceback (most recent call last): File "/usr/lib/python2.4/site-packages/mod_python/apache.py", line 299, in HandlerDispatch\n result = object(req) File "/usr/share/rhn/server/apacheServer.py", line 52, in __call__\n HandlerWrap.svrHandlers = self.get_handler_factory(req)() File "/usr/share/rhn/server/apacheServer.py", line 70, in get_handler_factory\n from apacheHandler import apacheHandler File "/usr/share/rhn/server/apacheHandler.py", line 32, in ?\n from apacheRequest import apacheGET, apachePOST, HandlerNotFoundError File "/usr/share/rhn/server/apacheRequest.py", line 33, in ?\n import rhnRepository File "/usr/share/rhn/server/rhnRepository.py", line 29, in ?\n import rhnChannel, rhnPackage File "/usr/share/rhn/server/rhnChannel.py", line 27, in ?\n from rhnServer import server_lib File "/usr/share/rhn/server/rhnServer/__init__.py", line 24, in ?\n from server_class import Server File "/usr/share/rhn/server/rhnServer/server_class.py", line 28, in ?\n from server import rhnChannel, rhnUser, rhnSQL, rhnLib, rhnAction, \\ ImportError: cannot import name rhnChannel We could also move that rhnSQL out from server namespace because it does not seem to have that much with the server (and with server's handler). Version-Release number of selected component (if applicable): # rpm -qf /usr/share/rhn/server/__init__.py spacewalk-backend-sql-0.4.10-1.el5 How reproducible: Deterministic. Steps to Reproduce: 1. Start osa-dispatcher via strace, with osa-dispatcher-selinux installed. 2. Review the strace output, and /var/log/audit/audit.log. Actual results: See /usr/share/rhn/common/rhn_rpm.py and then /usr/lib/librpmio-4.4.so loaded, and AVC denial in audit.log. Expected results: The structure of our backend classes should not load rpm libraries if program like osa-dispatcher only needs rhnSQL. Additional info:
This later turned out to not be causing the AVC denial Jan thought it was and boiled down instead to just Python code cleanup. Time is short, bumping to space06.
Devan, could you move this bugzilla to space06 and address it? It is blocking an AVC denial on Fedora 10, bug 514320. Thanks, Jan.
Not blocking bug 514320 anymore, we addressed that one in jabber_lib.py code.
Mass-moving to space13.
Should be fixed as side effect of commit c7abc29bb1c8ba32a13ea22a2f5b050db26178a3 from bug 612581. server/__init__.py does not import rhnHandler any more. moving back to space12 as this change is already there for some time.
Marking as fixed with spacewalk-backend-1.2.73-1 as that is the tag having the last commit related to bug 612581. With Spacewalk 1.2 release, marking as closed.