Bug 637833 - 'rhncfg-manager download-channel' does not deploy selinux context
Summary: 'rhncfg-manager download-channel' does not deploy selinux context
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Client
Version: 540
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Michael Mráka
QA Contact: Jiri Kastner
URL:
Whiteboard:
Depends On:
Blocks: 640135 sat54-errata
TreeView+ depends on / blocked
 
Reported: 2010-09-27 14:55 UTC by Pavel Novotny
Modified: 2011-03-07 09:25 UTC (History)
3 users (show)

Fixed In Version: rhncfg-5.9.27-6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-03-07 09:25:13 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0323 0 normal SHIPPED_LIVE RHN Tools bug fix and enhancement update 2011-03-07 09:22:47 UTC

Description Pavel Novotny 2010-09-27 14:55:18 UTC 
Description of problem:
'rhncfg-manager download-channel' command does not deploy SELinux file context. Instead, system-default context on client machine is used.

Version-Release number of selected component (if applicable):
rhncfg-management-5.9.27-1.el5sat

How reproducible:
Always

Steps to Reproduce:
1. In Satellite 540's WebUI create config channel with config file(s) in /tmp/ directory.
2. Set the SELinux context to 'root:object_r:unconfined_t'
3. On the client machine run 'rhncfg-manager download-channel -t /tmp/ <config-channel-name>'
4. run 'ls -Z /tmp/<config-channel-name>/tmp/'
  
Actual results:
The SELinux context is system default, usually 'root:object_r:tmp_t'.

Expected results:
The SELinux context should be same as on the server, i.e., 'root:object_r:unconfined_t'.

Additional info:
This behaviour can cause trouble if we run 'rhncfg-manager download-channel' and then 'rhncfg-manager upload-channel', because the second command deploys the client system-default context back onto server, thus changes the SELinux context field without user's knowledge.
Comment 3 Michael Mráka 2011-01-06 13:26:44 UTC 
It's been fixed in spacewalk master by 
commit 2272486d9037b0bcead4edf0384f1d47778f8c8b
    637833 - reused shared file deploy code
commit f2d5222dd5eb72653ee6201d87e6571d74e2eb20
    637833 - moved file deploy code into shared module

Fixed spacewalk package rhncfg-5.9.43-1.
Comment 4 Michael Mráka 2011-01-06 14:42:50 UTC 
Fixed in satellite git
commit 23aabf14f64f7022f0bea98ec13b882c922760ed
    637833 - reused shared file deploy code
    (cherry picked from commit 2272486d9037b0bcead4edf0384f1d47778f8c8b)
commit 39676e91219caaa53b7668ef11c81c928c9ec292
    637833 - reused shared file deploy code
    (cherry picked from commit f2d5222dd5eb72653ee6201d87e6571d74e2eb20)
Comment 7 Jiri Kastner 2011-01-24 14:51:59 UTC 
RHEL5:
[root@rlx-0-12 ~]# rhncfg-manager download-channel test-644985 -t /tmp/
Deploying /tmp/test-644985/tmp/config.cfg
Deploying /tmp/test-644985/tmp/config.cfg.ln
[root@rlx-0-12 ~]# ls -Z /tmp/test-644985/tmp/
-rw-r--r--  root root system_u:object_r:rpm_script_tmp_t config.cfg
lrwxrwxrwx  root root system_u:object_r:rpm_script_tmp_t config.cfg.ln -> /tmp/config.cfg
[root@rlx-0-12 ~]# rhncfg-manager download-channel test-644985 -t /tmp/
Deploying /tmp/test-644985/tmp/config.cfg
Deploying /tmp/test-644985/tmp/config.cfg.ln
[root@rlx-0-12 ~]# ls -Z /tmp/test-644985/tmp/
-rw-r--r--  root root root:object_r:tmp_t              config.cfg
lrwxrwxrwx  root root root:object_r:tmp_t              config.cfg.ln -> /tmp/config.cfg
Comment 13 errata-xmlrpc 2011-03-07 09:25:13 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0323.html
Note You need to log in before you can comment on or make changes to this bug.