Bug 644985 - SELinux context cleared from RHEL4 rhncfg-client
SELinux context cleared from RHEL4 rhncfg-client
Status: CLOSED ERRATA
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Configuration Management (Show other bugs)
540
All Linux
high Severity medium
: ---
: ---
Assigned To: Lukas Zapletal
Jiri Kastner
:
Depends On:
Blocks: sat54-errata
  Show dependency treegraph
 
Reported: 2010-10-20 13:38 EDT by Partha Aji
Modified: 2011-03-07 04:23 EST (History)
6 users (show)

See Also:
Fixed In Version: spacewalk-backend-1.2.13-17 rhncfg-5.9.27-6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 643157
Environment:
Last Closed: 2011-03-07 04:23:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 1 Tomas Lestach 2010-10-21 02:52:46 EDT
Assigning to Partha, since he worked on the original BZ and is already familiar with the problem.
Comment 5 Lukas Zapletal 2010-11-26 03:58:19 EST
This is clone of a bug, the report is by pnovotny:

SELinux context is *not* ignored when you upload the conf. channel back onto server.

What is the problem:
1. create config channel with 1 file and 1 symlink, set the SELinux context to
'root:object_r:unconfined_t' 
2. download the channel to client machine with 'rhncfg-manager download-channel
...' -> it has different SELinux context on client's FS than specified in WebUI
- this is ok, it is correctly ignored
3. upload it back with 'rhncfg-manager upload-channel ...' and check the file
detail in WebUI -> you find out that field "SELinux context" is empty now!! It
should contain original value 'root:object_r:unconfined_t'!

How to reproduce it:

[root@dell-xxx-01 tmp]# rhncfg-client elist
Mode          Owner Group          Size Rev        Config Channel    File
-rw-r--r--     root root             39   5      conf-channel-001   
/tmp/config.cfg
                                     *0   2      conf-channel-001   
/tmp/config.cfg.ln -> /tmp/config.cfg

[root@dell-xxx-01 tmp]# rhncfg-manager download-channel conf-channel-001 -t
/tmp/
Deploying /tmp/config.cfg -> /tmp/conf-channel-001/tmp/config.cfg
Deploying /tmp/config.cfg.ln -> /tmp/conf-channel-001/tmp/config.cfg.ln

[root@dell-xxx-01 tmp]# ll -Z conf-channel-001/tmp/
-rw-r--r--  root     root     root:object_r:tmp_t              config.cfg
lrwxrwxrwx  root     root     root:object_r:tmp_t              config.cfg.ln ->
/tmp/config.cfg

[root@dell-xxx-01 tmp]# rhncfg-manager upload-channel conf-channel-001 -t
/tmp/
Using config channel conf-channel-001
Uploading /tmp/config.cfg from /tmp/conf-channel-001/tmp/config.cfg
Uploading /tmp/config.cfg.ln from /tmp/conf-channel-001/tmp/config.cfg.ln
Comment 6 Lukas Zapletal 2010-11-26 05:27:59 EST
The problem has two sides:

a) rhel4 client

When the client receives a config file with selinux it ignores this flag. During pushing new version of this flag it sends empty string in it.

b) backend server:

Upon reception the server search for rhnFileInfo record (permissions, settings, selinux context) but since the rhel4 client sent empty context it does not find any and create a new one. The file version is bumped then with the new file information containing empty selinux.

My suggested solution is:

a) Modify the client code not to send empty string if selinux is not supported by the client (e.g. rhel4)

b) Modify the server code:
- if there is no selinux incoming
 - search for previous version of the incoming file
 - get the last selinux
 - proceed with this selinux flag set
Comment 7 Lukas Zapletal 2010-11-26 05:43:04 EST
After some discussion with Jan P. I am extending the client statement to:

a) Modify the client code not to send empty string if selinux is not supported
by the client (e.g. rhel4) or disabled (e.g. on rhel5/6)
Comment 8 Lukas Zapletal 2010-12-01 08:51:25 EST
commit 86e5dc777e94dcb724217cb8edd273a4adabe395
Author: Lukas Zapletal <lzap+git@redhat.com>
Date:   Fri Nov 26 09:58:45 2010 +0100

    644985 - SELinux context cleared from RHEL4 rhncfg-client
    
    Tested on RHEL4 and also RHEL5/6 with disabled SELinux
    
    (cherry picked from commit 274465b3a0872ff3d69cf36c1428fbd86bf269e7)

Fixed in: spacewalk-backend-1.2.13-17 rhncfg-5.9.27-5
Comment 10 Jiri Kastner 2011-01-20 06:35:48 EST
selinux context not cleared, when uploaded configuration file from RHEL4
Comment 11 errata-xmlrpc 2011-03-07 04:23:26 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0323.html

Note You need to log in before you can comment on or make changes to this bug.