Bug 627984 - Unconfined jabberd in Spacewalk 1.1
Summary: Unconfined jabberd in Spacewalk 1.1
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Spacewalk
Classification: Community
Component: Server
Version: 1.1
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
Assignee: Jan Pazdziora
QA Contact: Martin Minar
URL:
Whiteboard:
Depends On: 628495
Blocks: 556787 space12 634220
TreeView+ depends on / blocked
 
Reported: 2010-08-27 15:06 UTC by Jan Pazdziora
Modified: 2016-07-04 00:55 UTC (History)
2 users (show)

Fixed In Version: jabberd-selinux-1.5.1-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 634220 (view as bug list)
Environment:
Last Closed: 2010-11-19 16:16:38 UTC
Embargoed:

Attachments (Terms of Use)

Description Jan Pazdziora 2010-08-27 15:06:37 UTC 
Description of problem:

With fresh installation of Spacewalk 1.1 on RHEL 5.5, the jabberd processes do not seem to be properly confined.

Version-Release number of selected component (if applicable):

# rpm -qa | grep jabber | sort
jabberd-2.2.8-2.el5
jabberd-selinux-1.4.8-1.el5
jabberpy-0.5-0.17.el5
spacewalk-setup-jabberd-1.1.1-1.el5
# semodule -l | grep jabber
jabber	1.4.8.1

How reproducible:

Deterministic.

Steps to Reproduce:
1. Install Spacewalk 1.1.
2. Run /bin/ps -eZ | /bin/egrep "initrc"
  
Actual results:

# /bin/ps -eZ | /bin/egrep "initrc"
system_u:system_r:initrc_t       2743 ?        00:00:00 router
system_u:system_r:initrc_t       2767 ?        00:00:00 sm
system_u:system_r:initrc_t       2791 ?        00:00:00 c2s
system_u:system_r:initrc_t       2815 ?        00:00:00 s2s
system_u:system_r:initrc_t       2878 ?        00:00:00 rhnsearchd
system_u:system_r:initrc_t       2926 ?        00:00:00 rhnsd
system_u:system_r:initrc_t       3092 ?        00:00:00 cobblerd
system_u:system_r:initrc_t       3155 ?        00:00:00 taskomaticd

Expected results:

The router, sm, c2s, and s2s processes should be running as jabberd_t, not initrc_t.

Additional info:

The issue is caused by the fact that we have moved to jabberd 2.2 and presumably something is different there.
Comment 1 Jan Pazdziora 2010-08-27 15:07:46 UTC 
We probably should just take the policy from latest Fedoras to match the version of the policy to the version of the jabberd.
Comment 2 Jan Pazdziora 2010-08-30 08:46:49 UTC 
Filed Fedora selinux-policy bug 628495 as we want to mimick as much of the policy as possible, and on Fedoras we use the stock policy module for jabberd anyway.
Comment 3 Jan Pazdziora 2010-09-24 13:34:46 UTC 
Fixed in Spacewalk master, commits 508c7dff89e29179e76e7380bd9e1bc6e2d22e10, b1beb36b00cbafc5e0cde00762484927e7af0a9c, c9d9353744d6a92e9e1d2b2ec6d8fad1b55c566c, and 67e9553fda810deb24464b8d98cd932dd37bcd18.

Tagged and built as jabberd-selinux-1.5.1-1.
Comment 4 Martin Minar 2010-09-30 12:24:54 UTC 
Verified in today's nightly. 
Note:
Correction from bug 628495 solved the problem for F13.
Comment 5 Jan Pazdziora 2010-10-04 10:03:19 UTC 
(In reply to comment #4)
> Verified in today's nightly. 
> Note:
> Correction from bug 628495 solved the problem for F13.

Martin, please note that on Fedora 13, the jabberd SELinux module is in the core distribution. On RHEL 5 we ship the jabberd-selinux package and we'd need to verify that this RHEL 5 fix works properly.
Comment 8 Jan Pazdziora 2010-11-19 16:16:38 UTC 
With Spacewalk 1.2 released, marking as CLOSED CURRENTRELEASE.

https://www.redhat.com/archives/spacewalk-list/2010-November/msg00111.html
Note You need to log in before you can comment on or make changes to this bug.