Bug 644985 - SELinux context cleared from RHEL4 rhncfg-client
SELinux context cleared from RHEL4 rhncfg-client
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Configuration Management (Show other bugs)
All Linux
high Severity medium
: ---
: ---
Assigned To: Lukas Zapletal
Jiri Kastner
Depends On:
Blocks: sat54-errata
  Show dependency treegraph
Reported: 2010-10-20 13:38 EDT by Partha Aji
Modified: 2011-03-07 04:23 EST (History)
6 users (show)

See Also:
Fixed In Version: spacewalk-backend-1.2.13-17 rhncfg-5.9.27-6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 643157
Last Closed: 2011-03-07 04:23:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Comment 1 Tomas Lestach 2010-10-21 02:52:46 EDT
Assigning to Partha, since he worked on the original BZ and is already familiar with the problem.
Comment 5 Lukas Zapletal 2010-11-26 03:58:19 EST
This is clone of a bug, the report is by pnovotny:

SELinux context is *not* ignored when you upload the conf. channel back onto server.

What is the problem:
1. create config channel with 1 file and 1 symlink, set the SELinux context to
2. download the channel to client machine with 'rhncfg-manager download-channel
...' -> it has different SELinux context on client's FS than specified in WebUI
- this is ok, it is correctly ignored
3. upload it back with 'rhncfg-manager upload-channel ...' and check the file
detail in WebUI -> you find out that field "SELinux context" is empty now!! It
should contain original value 'root:object_r:unconfined_t'!

How to reproduce it:

[root@dell-xxx-01 tmp]# rhncfg-client elist
Mode          Owner Group          Size Rev        Config Channel    File
-rw-r--r--     root root             39   5      conf-channel-001   
                                     *0   2      conf-channel-001   
/tmp/config.cfg.ln -> /tmp/config.cfg

[root@dell-xxx-01 tmp]# rhncfg-manager download-channel conf-channel-001 -t
Deploying /tmp/config.cfg -> /tmp/conf-channel-001/tmp/config.cfg
Deploying /tmp/config.cfg.ln -> /tmp/conf-channel-001/tmp/config.cfg.ln

[root@dell-xxx-01 tmp]# ll -Z conf-channel-001/tmp/
-rw-r--r--  root     root     root:object_r:tmp_t              config.cfg
lrwxrwxrwx  root     root     root:object_r:tmp_t              config.cfg.ln ->

[root@dell-xxx-01 tmp]# rhncfg-manager upload-channel conf-channel-001 -t
Using config channel conf-channel-001
Uploading /tmp/config.cfg from /tmp/conf-channel-001/tmp/config.cfg
Uploading /tmp/config.cfg.ln from /tmp/conf-channel-001/tmp/config.cfg.ln
Comment 6 Lukas Zapletal 2010-11-26 05:27:59 EST
The problem has two sides:

a) rhel4 client

When the client receives a config file with selinux it ignores this flag. During pushing new version of this flag it sends empty string in it.

b) backend server:

Upon reception the server search for rhnFileInfo record (permissions, settings, selinux context) but since the rhel4 client sent empty context it does not find any and create a new one. The file version is bumped then with the new file information containing empty selinux.

My suggested solution is:

a) Modify the client code not to send empty string if selinux is not supported by the client (e.g. rhel4)

b) Modify the server code:
- if there is no selinux incoming
 - search for previous version of the incoming file
 - get the last selinux
 - proceed with this selinux flag set
Comment 7 Lukas Zapletal 2010-11-26 05:43:04 EST
After some discussion with Jan P. I am extending the client statement to:

a) Modify the client code not to send empty string if selinux is not supported
by the client (e.g. rhel4) or disabled (e.g. on rhel5/6)
Comment 8 Lukas Zapletal 2010-12-01 08:51:25 EST
commit 86e5dc777e94dcb724217cb8edd273a4adabe395
Author: Lukas Zapletal <lzap+git@redhat.com>
Date:   Fri Nov 26 09:58:45 2010 +0100

    644985 - SELinux context cleared from RHEL4 rhncfg-client
    Tested on RHEL4 and also RHEL5/6 with disabled SELinux
    (cherry picked from commit 274465b3a0872ff3d69cf36c1428fbd86bf269e7)

Fixed in: spacewalk-backend-1.2.13-17 rhncfg-5.9.27-5
Comment 10 Jiri Kastner 2011-01-20 06:35:48 EST
selinux context not cleared, when uploaded configuration file from RHEL4
Comment 11 errata-xmlrpc 2011-03-07 04:23:26 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.