543684 – rhncfg-{client,manager} fail under strict selinux policy

Bug 543684 - rhncfg-{client,manager} fail under strict selinux policy

Summary: rhncfg-{client,manager} fail under strict selinux policy

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Spacewalk
Classification:	Community
Component:	Clients
Sub Component:
Version:	0.7
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Jan Pazdziora (Red Hat)
QA Contact:	Red Hat Satellite QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	space16
TreeView+	depends on / blocked

Reported:	2009-12-02 20:49 UTC by Joshua Roys
Modified:	2011-09-09 09:38 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2011-09-09 09:33:37 UTC
Embargoed:

Attachments	(Terms of Use)

Description Joshua Roys 2009-12-02 20:49:18 UTC

Description of problem:
rhncfg-{client,manager} are symlinks to files in /usr/share.  This gives them a usr_t context.

# ls -Z /usr/bin/rhncfg*
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/rhncfg-client -> ../../usr/share/rhn/config_client/rhncfg-client.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/rhncfg-manager -> ../../usr/share/rhn/config_management/rhncfg-manager.py
# ls -HZ /usr/bin/rhncfg*
-rwxr-xr-x  root root system_u:object_r:usr_t:s0       /usr/bin/rhncfg-client
-rwxr-xr-x  root root system_u:object_r:usr_t:s0       /usr/bin/rhncfg-manager
# rhncfg-client
-bash: /usr/bin/rhncfg-client: Permission denied
# chcon -t bin_t /usr/share/rhn/config_client/rhncfg-client.py
# rhncfg-client 
Usage: /usr/bin/rhncfg-client MODE [ --server-name name ] [ params ]


Version-Release number of selected component (if applicable):
Technically we're using the 0.6 series... and I know a lot of bugs were just switched to 0.8, so if this isn't the appropriate version feel free to move it.


How reproducible:
Install spacewalk on a machine with a strict selinux policy.  Try to run rhncfg client utilities.

  
Actual results:
avc.


Should a new rhncfg-selinux package be created?  A .fc stuck in rhncfg-{client,management}?  This needs to end up on all clients that will do config management and that will have a strict selinux policy enforced.

Thanks.

Comment 1 Milan Zázrivec 2010-08-05 10:06:08 UTC

Couldn't the changebe that we simply move
/usr/share/rhn/config_client/rhncfg-client.py to /usr/bin/rhncfg-client
(same for rhncfg-manager), and let them have the bin_t context?

Comment 2 Jan Pazdziora (Red Hat) 2010-11-19 16:04:01 UTC

Mass-moving to space13.

Comment 3 Miroslav Suchý 2011-04-11 07:32:41 UTC

We did not have time for this one during Spacewalk 1.4 time frame. Mass moving to Spacewalk 1.5.

Comment 4 Miroslav Suchý 2011-04-11 07:36:53 UTC

We did not have time for this one during Spacewalk 1.4 time frame. Mass moving to Spacewalk 1.5.

Comment 5 Jan Pazdziora (Red Hat) 2011-07-20 11:50:40 UTC

Aligning under space16.

Comment 6 Jan Pazdziora (Red Hat) 2011-09-09 09:33:37 UTC

What was the AVC denial exactly?

Anyway, on my RHEL 5.7 with latest rhncfg-client, I can see:

# rhncfg-client
Usage: /usr/bin/rhncfg-client MODE [ --server-name name ] [ params ]
Valid modes are:
	diff
	get
	list
	elist
	channels
	verify
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          permissive
Policy version:                 21
Policy from config file:        strict

Comment 7 Jan Pazdziora (Red Hat) 2011-09-09 09:38:52 UTC

The package version I've tried were

rhncfg-client-5.10.14-1.el5.noarch
rhn-check-1.6.15-1.el5.noarch
rhncfg-5.10.14-1.el5.noarch
rhnlib-2.5.45-1.el5.noarch

Note You need to log in before you can comment on or make changes to this bug.