Description of problem: With fresh installation of Spacewalk 1.1 on RHEL 5.5, the jabberd processes do not seem to be properly confined. Version-Release number of selected component (if applicable): # rpm -qa | grep jabber | sort jabberd-2.2.8-2.el5 jabberd-selinux-1.4.8-1.el5 jabberpy-0.5-0.17.el5 spacewalk-setup-jabberd-1.1.1-1.el5 # semodule -l | grep jabber jabber 1.4.8.1 How reproducible: Deterministic. Steps to Reproduce: 1. Install Spacewalk 1.1. 2. Run /bin/ps -eZ | /bin/egrep "initrc" Actual results: # /bin/ps -eZ | /bin/egrep "initrc" system_u:system_r:initrc_t 2743 ? 00:00:00 router system_u:system_r:initrc_t 2767 ? 00:00:00 sm system_u:system_r:initrc_t 2791 ? 00:00:00 c2s system_u:system_r:initrc_t 2815 ? 00:00:00 s2s system_u:system_r:initrc_t 2878 ? 00:00:00 rhnsearchd system_u:system_r:initrc_t 2926 ? 00:00:00 rhnsd system_u:system_r:initrc_t 3092 ? 00:00:00 cobblerd system_u:system_r:initrc_t 3155 ? 00:00:00 taskomaticd Expected results: The router, sm, c2s, and s2s processes should be running as jabberd_t, not initrc_t. Additional info: The issue is caused by the fact that we have moved to jabberd 2.2 and presumably something is different there.
We probably should just take the policy from latest Fedoras to match the version of the policy to the version of the jabberd.
Filed Fedora selinux-policy bug 628495 as we want to mimick as much of the policy as possible, and on Fedoras we use the stock policy module for jabberd anyway.
Fixed in Spacewalk master, commits 508c7dff89e29179e76e7380bd9e1bc6e2d22e10, b1beb36b00cbafc5e0cde00762484927e7af0a9c, c9d9353744d6a92e9e1d2b2ec6d8fad1b55c566c, and 67e9553fda810deb24464b8d98cd932dd37bcd18. Tagged and built as jabberd-selinux-1.5.1-1.
Verified in today's nightly. Note: Correction from bug 628495 solved the problem for F13.
(In reply to comment #4) > Verified in today's nightly. > Note: > Correction from bug 628495 solved the problem for F13. Martin, please note that on Fedora 13, the jabberd SELinux module is in the core distribution. On RHEL 5 we ship the jabberd-selinux package and we'd need to verify that this RHEL 5 fix works properly.
With Spacewalk 1.2 released, marking as CLOSED CURRENTRELEASE. https://www.redhat.com/archives/spacewalk-list/2010-November/msg00111.html