Version-Release number of selected component (if applicable): Fedora 10 latest packages and: [root@sw2 ~]# rpm -qa | grep selinux oracle-instantclient-selinux-10.2-15.fc10.noarch spacewalk-monitoring-selinux-0.6.12-1.fc10.noarch oracle-instantclient-sqlplus-selinux-10.2-15.fc10.noarch osa-dispatcher-selinux-5.9.20-1.fc10.noarch libselinux-2.0.78-1.fc10.i386 selinux-policy-3.5.13-65.fc10.noarch oracle-nofcontext-selinux-0.1-23.10.fc10.noarch jabberd-selinux-1.4.6-1.fc10.noarch libselinux-python-2.0.78-1.fc10.i386 selinux-policy-targeted-3.5.13-65.fc10.noarch spacewalk-selinux-0.6.13-1.fc10.noarch libselinux-utils-2.0.78-1.fc10.i386 How reproducible: 100% (I think) Steps to Reproduce: 1. Install 0.6 devel on Fedora 10 2. Check osa-dispatcher status 3. Actual results: dead but pid exists. Expected results: Running. Additional info: Jul 28 14:31:31 sw2 kernel: type=1400 audit(1248802291.037:11): avc: denied { execute } for pid=4714 comm="osa-dispatcher" name="bash" dev=dm -0 ino=442460 scontext=unconfined_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file Jul 28 14:31:31 sw2 kernel: type=1400 audit(1248802291.051:12): avc: denied { execute } for pid=4715 comm="osa-dispatcher" name="bash" dev=dm -0 ino=442460 scontext=unconfined_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file Jul 28 14:31:31 sw2 kernel: type=1400 audit(1248802291.096:13): avc: denied { execute } for pid=4716 comm="osa-dispatcher" name="bash" dev=dm -0 ino=442460 scontext=unconfined_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file Jul 28 14:31:31 sw2 kernel: type=1400 audit(1248802291.105:14): avc: denied { execute } for pid=4717 comm="osa-dispatcher" name="bash" dev=dm -0 ino=442460 scontext=unconfined_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file Jul 28 14:31:31 sw2 kernel: type=1400 audit(1248802291.114:15): avc: denied { execute } for pid=4718 comm="osa-dispatcher" name="bash" dev=dm -0 ino=442460 scontext=unconfined_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file Jul 28 14:31:31 sw2 kernel: type=1400 audit(1248802291.150:16): avc: denied { execute } for pid=4719 comm="osa-dispatcher" name="bash" dev=dm -0 ino=442460 scontext=unconfined_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file Jul 28 14:31:31 sw2 jabberd/c2s[4605]: [7] [127.0.0.1, port=38607] connect Jul 28 14:31:31 sw2 kernel: type=1400 audit(1248802291.802:17): avc: denied { read } for pid=4724 comm="osa-dispatcher" name="osa-dispatcher. pid" dev=dm-0 ino=843934 scontext=unconfined_u:system_r:osa_dispatcher_t:s0 tcontext=unconfined_u:object_r:osa_dispatcher_var_run_t:s0 tclass=fi le Haven't yet been able to test on Fedora 11 and RHEL 5, will update if this issue arises there also.
Could you please paste output of # semodule -l and # getenforce ? Also, did the problem show up on F11 or is this F10 issue only?
[root@sw2 ~]# semodule -l ada 1.2.0 aide 1.4.0 amanda 1.10.0 amavis 1.8.0 amtu 1.1.0 apache 1.11.0 apcupsd 1.4.0 arpwatch 1.6.0 audio_entropy 1.4.0 automount 1.10.0 avahi 1.9.0 awstats 1.0.0 bind 1.8.0 bitlbee 1.1.0 bluetooth 2.2.0 calamaris 1.3.0 canna 1.8.0 ccs 1.3.0 cdrecord 1.4.0 certmaster 1.0.0 certwatch 1.0 cipe 1.4.0 clamav 1.6.0 comsat 1.5.0 consolekit 1.3.0 courier 1.6.0 cups 1.11.0 cvs 1.7.0 cyphesis 1.0.0 cyrus 1.7.0 daemontools 1.2.0 dbskk 1.4.0 dcc 1.6.0 dhcp 1.6.0 dictd 1.6.0 dnsmasq 1.6.0 dovecot 1.9.0 ethereal 1.5.0 exim 1.2.0 fail2ban 1.2.0 fetchmail 1.7.0 finger 1.7.0 ftp 1.9.0 games 1.7.0 gitosis 1.0.0 gnome 1.3.0 gnomeclock 1.0.0 gpg 1.6.0 gpm 1.5.0 gpsd 1.0.0 guest 1.0.0 hal 1.10.0 howl 1.6.0 inn 1.7.0 ipsec 1.8.0 irc 1.4.0 iscsid 1.5.0 jabber 1.4.6.1 java 1.8.0 kerberos 1.8.0 kerneloops 1.1.0 kismet 1.1.0 ktalk 1.6.0 ldap 1.8.0 lircd 1.0.0 livecd 1.0.0 lockdev 1.2.0 logadm 1.0.0 lpd 1.10.0 mailman 1.5.0 mailscanner 1.0.0 memcached 1.0.0 milter 1.0.0 mono 1.5.0 mozilla 1.6.0 mplayer 1.5.0 mrtg 1.5.0 munin 1.5.0 mysql 1.9.0 nagios 1.6.0 netlabel 1.2.0 nis 1.7.0 nsplugin 1.0.0 ntp 1.7.0 nx 1.3.0 oddjob 1.5.0 openct 1.3.0 openoffice 1.0.0 openvpn 1.6.0 oracle-nofcontext 1.1.1 osa-dispatcher 5.9.20.1 pads 0.0.1 pcscd 1.4.0 pegasus 1.6.0 pingd 1.0.0 podsleuth 1.0.0 polkit_auth 1.0.0 portmap 1.7.0 portreserve 1.0.0 postfix 1.9.0 postgresql 1.7.0 postgrey 1.5.0 ppp 1.9.0 prelude 1.0.0 privoxy 1.7.0 procmail 1.9.0 psad 1.0.0 publicfile 1.1.0 pyzor 1.6.0 qemu 1.0.0 qmail 1.4.0 radius 1.9.0 radvd 1.9.0 razor 1.4.0 rdisc 1.6.0 remotelogin 1.5.0 rhgb 1.7.0 ricci 1.4.0 rlogin 1.7.0 roundup 1.5.0 rpcbind 1.2.0 rshd 1.5.0 rsync 1.7.0 rwho 1.5.0 samba 1.10.0 sambagui 1.0.0 sasl 1.10.0 screen 1.4.0 slocate 1.8.0 smartmon 1.7.0 snmp 1.8.0 snort 1.6.0 soundserver 1.6.0 spacewalk-monitoring 0.6.12.1 spacewalk 0.6.13.1 spamassassin 1.10.0 squid 1.7.0 staff 1.0.0 stunnel 1.7.0 sysstat 1.3.0 tcpd 1.3.0 telnet 1.7.0 tftp 1.9.0 tmpreaper 1.3.0 tor 1.5.0 tvtime 1.4.0 ulogd 1.0.0 uml 1.6.0 unconfined 2.4.0 unprivuser 1.1.0 usbmodules 1.1.0 userhelper 1.4.0 usernetctl 1.4.0 uucp 1.8.0 virt 1.0.0 vmware 1.6.0 vpn 1.9.0 w3c 1.0.0 webadm 1.0.0 webalizer 1.7.0 wine 1.5.0 xen 1.7.0 xfs 1.4.0 xguest 1.0.0 zabbix 1.2.0 zebra 1.8.0 zosremote 1.0.0 [root@sw2 ~]# getenforce Permissive [root@sw2 ~]# There's a separate bug files on F11 selinux issues, this issue does appear to be happening there as well.
The AVC denial Jul 28 14:31:31 sw2 kernel: type=1400 audit(1248802291.037:11): avc: denied { execute } for pid=4714 comm="osa-dispatcher" name="bash" dev=dm-0 ino=442460 scontext=unconfined_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file seems to be caused by the fact that the osa-dispatcher process calls execve("/bin/sh", ["sh", "-c", "echo $HOME"], [/* 27 vars */]) = 0 It seems to be caused by rpm. The trouble is that even if the osa_dispatcher.py code essentially needs to do server.rhnSQL.sql_base import sql_types it loads server/__init__.py, and from there the rhnHandler, all the way up to rhn_rpm and rpm. And the rpm package presumably does more than just loading the Python code. We actually have this problem described in bug 479987.
The AVC denial Jul 28 14:31:31 sw2 kernel: type=1400 audit(1248802291.802:17): avc: denied { read } for pid=4724 comm="osa-dispatcher" name="osa-dispatcher.pid" dev=dm-0 ino=843934 scontext=unconfined_u:system_r:osa_dispatcher_t:s0 tcontext=unconfined_u:object_r:osa_dispatcher_var_run_t:s0 tclass=file issue was addressed in Spacewalk repo, master, b5495e93327076e60a7667e6491ead05d6528673.
(In reply to comment #3) > The AVC denial > > Jul 28 14:31:31 sw2 kernel: type=1400 audit(1248802291.037:11): avc: denied { > execute } for pid=4714 comm="osa-dispatcher" name="bash" dev=dm-0 ino=442460 > scontext=unconfined_u:system_r:osa_dispatcher_t:s0 > tcontext=system_u:object_r:shell_exec_t:s0 tclass=file Note to self -- the complete list of AVC denials for this issue, from Permissive machine, is type=AVC msg=audit(1249310665.197:257): avc: denied { execute } for pid=4228 comm="osa-dispatcher" name="bash" dev=dm-0 ino=915243 scontext=unconfined_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=AVC msg=audit(1249310665.197:257): avc: denied { read } for pid=4228 comm="osa-dispatcher" name="bash" dev=dm-0 ino=915243 scontext=unconfined_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=AVC msg=audit(1249310665.197:257): avc: denied { execute_no_trans } for pid=4228 comm="osa-dispatcher" path="/bin/bash" dev=dm-0 ino=915243 scontext=unconfined_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file type=AVC msg=audit(1249310665.204:258): avc: denied { getattr } for pid=4228 comm="sh" path="/bin/bash" dev=dm-0 ino=915243 scontext=unconfined_u:system_r:osa_dispatcher_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
Spacewalk 0.6 released