479987 – /usr/share/rhn/server/__init__.py does from rhnHandler import rhnHandler

Bug 479987 - /usr/share/rhn/server/__init__.py does from rhnHandler import rhnHandler

Summary: /usr/share/rhn/server/__init__.py does from rhnHandler import rhnHandler

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Spacewalk
Classification:	Community
Component:	Server
Sub Component:
Version:	0.4
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Suchý
QA Contact:	Jan Pazdziora
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	space12
TreeView+	depends on / blocked

Reported:	2009-01-14 14:17 UTC by Jan Pazdziora
Modified:	2010-11-20 14:24 UTC (History)
CC List:	4 users (show)
Fixed In Version:	spacewalk-backend-1.2.73-1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-11-20 14:24:20 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jan Pazdziora 2009-01-14 14:17:59 UTC

Description of problem:

While investigating why osa-dispatcher produces AVC denial

avc:  denied  { search } for  pid=22398 comm="python" name="root" dev=dm-0 ino=784129 scontext=root:system_r:osa_dispatcher_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir

I found out that it is caused by the /usr/lib/librpm-4.4.so library which wants to read /root/.rpmmacros:

19641 read(11, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1547
19641 close(11)                         = 0
19641 munmap(0xb7fe6000, 4096)          = 0
19641 stat64("/root/.rpmmacros", 0xbf83b5dc) = -1 EACCES (Permission denied)
19641 stat64("/usr/lib/rpm/init.lua", 0xbf83be3c) = -1 ENOENT (No such file or directory)
19641 close(10)                         = 0
19641 close(9)                          = 0

I wondered why the rpm library is loaded by osa-dispatcher in the first place. The chain looks like this:

/usr/share/rhn/osad/osa_dispatcher.py imports rhnSQL (from server)
/usr/share/rhn/server/__init__.py imports rhnHandler
/usr/share/rhn/server/rhnHandler.py imports rhnServer
/usr/share/rhn/server/rhnServer/__init__.py imports Server from server_class
/usr/share/rhn/server/rhnServer/server_class.py imports rhn_rpm
/usr/share/rhn/common/rhn_rpm.py imports rpm

We'd need to break this chain somewhere. I looked at that

/usr/share/rhn/server/__init__.py

which has nothing but

from rhnHandler import rhnHandler

in it and Devan says that it is a trickery to get the rhnHandler class by magic somewhere.

If I comments this line in /usr/share/rhn/server/__init__.py out, osa-dispatcher no longer gives the AVC denial, but httpd produces the following  in error_log upon rhnpush:

 Traceback (most recent call last):
   File "/usr/lib/python2.4/site-packages/mod_python/apache.py", line 299, in HandlerDispatch\n    result = object(req)
   File "/usr/share/rhn/server/apacheServer.py", line 52, in __call__\n    HandlerWrap.svrHandlers = self.get_handler_factory(req)()
   File "/usr/share/rhn/server/apacheServer.py", line 70, in get_handler_factory\n    from apacheHandler import apacheHandler
   File "/usr/share/rhn/server/apacheHandler.py", line 32, in ?\n    from apacheRequest import apacheGET, apachePOST, HandlerNotFoundError
   File "/usr/share/rhn/server/apacheRequest.py", line 33, in ?\n    import rhnRepository
   File "/usr/share/rhn/server/rhnRepository.py", line 29, in ?\n    import rhnChannel, rhnPackage
   File "/usr/share/rhn/server/rhnChannel.py", line 27, in ?\n    from rhnServer import server_lib
   File "/usr/share/rhn/server/rhnServer/__init__.py", line 24, in ?\n    from server_class import Server
   File "/usr/share/rhn/server/rhnServer/server_class.py", line 28, in ?\n    from server import rhnChannel, rhnUser, rhnSQL, rhnLib, rhnAction, \\
 ImportError: cannot import name rhnChannel

We could also move that rhnSQL out from server namespace because it does not seem to have that much with the server (and with server's handler).

Version-Release number of selected component (if applicable):

# rpm -qf /usr/share/rhn/server/__init__.py
spacewalk-backend-sql-0.4.10-1.el5

How reproducible:

Deterministic.

Steps to Reproduce:
1. Start osa-dispatcher via strace, with osa-dispatcher-selinux installed.
2. Review the strace output, and /var/log/audit/audit.log.

Actual results:

See /usr/share/rhn/common/rhn_rpm.py and then /usr/lib/librpmio-4.4.so loaded, and AVC denial in audit.log.

Expected results:

The structure of our backend classes should not load rpm libraries if program like osa-dispatcher only needs rhnSQL.

Additional info:

Comment 1 Devan Goodwin 2009-02-25 14:33:34 UTC

This later turned out to not be causing the AVC denial Jan thought it was and boiled down instead to just Python code cleanup. Time is short, bumping to space06.

Comment 2 Jan Pazdziora 2009-08-03 13:37:14 UTC

Devan, could you move this bugzilla to space06 and address it? It is blocking an AVC denial on Fedora 10, bug 514320. Thanks, Jan.

Comment 4 Jan Pazdziora 2009-09-18 11:58:23 UTC

Not blocking bug 514320 anymore, we addressed that one in jabber_lib.py code.

Comment 5 Jan Pazdziora 2010-11-19 16:03:45 UTC

Mass-moving to space13.

Comment 6 Miroslav Suchý 2010-11-20 12:16:10 UTC

Should be fixed as side effect of commit c7abc29bb1c8ba32a13ea22a2f5b050db26178a3 from bug 612581.

server/__init__.py does not import rhnHandler any more.

moving back to space12 as this change is already there for some time.

Comment 7 Jan Pazdziora 2010-11-20 14:24:20 UTC

Marking as fixed with spacewalk-backend-1.2.73-1 as that is the tag having the last commit related to bug 612581.

With Spacewalk 1.2 release, marking as closed.

Note You need to log in before you can comment on or make changes to this bug.