Description of problem: The default installation of Satellite 5.3.0 adds /usr/bin/satcon-build-dictionary.pl to alias INSTALL_RHN in /etc/sudoers. I've grepped Spacewalk source and satcon-build-dictionary.pl appears to be called in two places -- in spacewalk/setup/bin/spacewalk-setup, and in web/modules/rhn/RHN/SatInstall.pm. That spacewalk-setup is being used by root, so no sudo is needed (and called) there. That RHN::SatInstall calls sub generate_satcon_dict { my $class = shift; my %params = validate(@_, { conf_file => { default => DEFAULT_SATCON_DICT }, tree => { default => DEFAULT_RHN_SATCON_TREE }, }); my $ret = system("/usr/bin/sudo", "/usr/bin/satcon-build-dictionary.pl", "--tree=" . $params{tree}, "--target=" . $params{conf_file}); if ($ret) { throw 'There was a problem building the satcon dictionary. ' . 'See the webserver error log for details.'; } return; } But the function generate_satcon_dict is not used in the whole Spacewalk codebase except that bin/spacewalk-setup, and that script defines its own function. Therefore I assume it is dead code which can be removed, and so can /usr/bin/satcon-build-dictionary.pl from /etc/sudoers. Note: I did this scan through our code to figure out if there are some commands that need additional SELinux treatment. Version-Release number of selected component (if applicable): Satellite-5.3.0-RHEL5-re20090206.1 How reproducible: Deterministic. Steps to Reproduce: 1. Install Satellite 5.3.0. 2. Look into /etc/sudoers. Actual results: /usr/bin/satcon-build-dictionary.pl is there. Expected results: /usr/bin/satcon-build-dictionary.pl is not there and Satellite continues to work OK. Additional info: This bug was modeled based on bug 484702.
The proposed change is to remove the INSTALL_RHN section and merge whatever needs to be there to CONFIG_RHN. The proposed sudoers.rhn is below. I've tested that with this, the Satellite/Spacewalk works and runs external commands fine. ## RHN specifics ## Cmnd_Alias CONFIG_RHN = /usr/sbin/rhn-sat-restart-silent,\ /usr/bin/rhn-config-satellite.pl,\ /usr/bin/rhn-satellite-activate,\ /usr/bin/rhn-bootstrap,\ /usr/bin/rhn-ssl-tool,\ /usr/bin/rhn-ssl-dbstore,\ /usr/bin/rhn-load-ssl-cert.pl,\ /etc/rc.d/np.d/step Monitoring install,\ /etc/rc.d/np.d/step MonitoringScout install,\ /etc/rc.d/np.d/step Monitoring uninstall,\ /etc/rc.d/np.d/step MonitoringScout uninstall,\ /sbin/service Monitoring restart,\ /sbin/service MonitoringScout restart,\ /sbin/service taskomatic restart # The CONFIG_RHN commands are required for reconfiguration of a # running RHN Satellite. They should be enabled for proper operation # of the RHN Satellite. apache ALL=(root) NOPASSWD: CONFIG_RHN tomcat ALL=(root) NOPASSWD: CONFIG_RHN # These two directives allow tomcat and apache to invoke CONFIG_RHN # commands via sudo even without a real tty Defaults:tomcat !requiretty Defaults:apache !requiretty
Same as sat con deploy bug.
Reassigning to myself as the bugzillas are not tracked against the SELinux feature.
The previous comment should have been "are *now*".
Committed to Spacewalk repo, 0df28b31550792d2a0e9e5ec63726929d3f89116 and 1de6c23dc8c136aa5576252a27ab9a27ee4730bd.
With compose Satellite-5.3.0-RHEL5-re20090220.1 available, moving ON_QA.
ISO: Satellite-5.3.0-RHEL5-re20090220.1-i386-embedded-oracle.iso [root@grandprix ~]# cat /etc/sudoers | grep /usr/bin/satcon-build-dictionary.pl [root@grandprix ~]#
[root@xen5 ~]# grep satcon-build-dictionary.pl /etc/sudoers [root@xen5 ~]# satellite works still fine verified in stage on xen5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-1434.html