Bug 634989 - AVC error when pushing to channel
Summary: AVC error when pushing to channel
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Spacewalk
Classification: Community
Component: Server
Version: 1.2
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Jan Pazdziora (Red Hat)
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks: space15 703485
TreeView+ depends on / blocked
 
Reported: 2010-09-17 14:13 UTC by Jan Hutař
Modified: 2011-07-21 14:42 UTC (History)
1 user (show)

Fixed In Version: spacewalk-selinux-1.5.2-1
Clone Of:
: 703485 (view as bug list)
Environment:
Last Closed: 2011-07-21 14:42:54 UTC
Embargoed:

Attachments (Terms of Use)

Description Jan Hutař 2010-09-17 14:13:31 UTC 
Description of problem:
I'm getting AVC error when I'm pushing to channel on SWnightly on Fedora13.


Version-Release number of selected component (if applicable):
SWnightly as of 2010-09-16


How reproducible:
1 of 2 Spacewalks


Steps to Reproduce:
1. # runcon -u unconfined_u -r unconfined_r -t unconfined_t -l s0-s0:c0.c1023 -- rhnpush -v --server=<fqdn> --username=<user> --password=<pass> -d rhel4 --channel=my-channel
2. Check AVC messages


Actual results:
/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -sv no -m AVC -m USER_AVC -m SELINUX_ERR -ts 09/15/2010 22:00:55 < /dev/null
----
time->Wed Sep 15 22:01:46 2010
type=SYSCALL msg=audit(1284602506.003:30904): arch=40000003 syscall=12 success=no exit=-13 a0=bfbfddbc a1=bfbfddbc a2=cf7738 a3=d2a450 items=0 ppid=9166 pid=13762 auid=4294967295 uid=48 gid=494 euid=48 suid=48 fsuid=48 egid=490 sgid=490 fsgid=490 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1284602506.003:30904): avc:  denied  { search } for  pid=13762 comm="sendmail" name="clientmqueue" dev=dm-0 ino=524716 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
----
time->Wed Sep 15 22:01:53 2010
type=SYSCALL msg=audit(1284602513.290:30905): arch=40000003 syscall=12 success=no exit=-13 a0=bf9b6cfc a1=bf9b6cfc a2=cdc738 a3=d0f450 items=0 ppid=8411 pid=13821 auid=4294967295 uid=48 gid=494 euid=48 suid=48 fsuid=48 egid=490 sgid=490 fsgid=490 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1284602513.290:30905): avc:  denied  { search } for  pid=13821 comm="sendmail" name="clientmqueue" dev=dm-0 ino=524716 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir
----
time->Wed Sep 15 22:02:01 2010
type=SYSCALL msg=audit(1284602521.150:30906): arch=40000003 syscall=12 success=no exit=-13 a0=bfdd6b0c a1=bfdd6b0c a2=261738 a3=294450 items=0 ppid=11685 pid=13887 auid=4294967295 uid=48 gid=494 euid=48 suid=48 fsuid=48 egid=490 sgid=490 fsgid=490 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1284602521.150:30906): avc:  denied  { search } for  pid=13887 comm="sendmail" name="clientmqueue" dev=dm-0 ino=524716 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir


Expected results:
There should not be such errors.
Comment 2 Jan Pazdziora (Red Hat) 2010-11-19 16:02:19 UTC 
Mass-moving to space13.
Comment 3 Jan Pazdziora (Red Hat) 2010-11-20 17:27:11 UTC 
I assume that the sendmail process seems to be started when Apache wants to send some traceback email. Unfortunately, rhnpush seems to be that stable on my Spacewalk 1.2 (Fedora 13, PostgreSQL) that I did not get any tracebacks.

So I put

        i = 1 / 0

to /usr/share/rhn/upload_server/handlers/package_push/package_push.py to handler and I indeed can see the reproducer.

type=AVC msg=audit(1290274022.882:21541): avc:  denied  { search } for  pid=3005 comm="sendmail" name="clientmqueue" dev=dm-0 ino=833 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mqueue_spool_t:s0 tclass=dir

Taking.
Comment 4 Miroslav Suchý 2011-04-11 07:30:52 UTC 
We did not have time for this one during Spacewalk 1.4 time frame. Mass moving to Spacewalk 1.5.
Comment 5 Miroslav Suchý 2011-04-11 07:36:11 UTC 
We did not have time for this one during Spacewalk 1.4 time frame. Mass moving to Spacewalk 1.5.
Comment 6 Jan Pazdziora (Red Hat) 2011-05-10 11:28:44 UTC 
The fix is to set the httpd_can_sendmail boolean:

# setsebool -P httpd_can_sendmail on
Comment 7 Jan Pazdziora (Red Hat) 2011-05-10 11:29:51 UTC 
This issue is also present on Satellite 5.4.0.
Comment 8 Jan Pazdziora (Red Hat) 2011-05-10 11:32:50 UTC 
We now set the boolean in spacewalk-selinux-enable: Spacewalk master 87e7077f0a2923763ef5ce9ec5de6e3aa7533467.
Comment 9 Jan Pazdziora (Red Hat) 2011-05-10 11:55:48 UTC 
The same AVCs happen on https://FQDN/help/forgot_password.pxt, with the SELinux boolean turned off.
Comment 10 Jan Pazdziora (Red Hat) 2011-07-19 19:36:34 UTC 
This bugzilla is currently MODIFIED, so we believe the fix is in the Spacewalk nightly yum repository at http://spacewalk.redhat.com/yum/nightly/

Therefore, moving ON_QA.
Comment 11 Jan Hutař 2011-07-20 09:39:20 UTC 
I have used Spacewalk nightly (RHEL6; Oracle DB backend; spacewalk-selinux-1.5.4-1.el6.noarch) to reset my password (for user with password root.eng.rdu.redhat.com):

https://FQDN/help/forgot_password.pxt

and no new messages appeared in audit.log.

=> VERIFIED
Comment 12 Jan Pazdziora (Red Hat) 2011-07-21 14:42:54 UTC 
Spacewalk 1.5 was released.
Note You need to log in before you can comment on or make changes to this bug.