Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 673112

Summary: Multiple jabberd_t - related denials
Product: Red Hat Enterprise Linux 6 Reporter: Milan Zázrivec <mzazrivec>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: dwalsh, jpazdziora, ksrot, mgrepl, slukasik
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-69.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 11:57:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
grep denied /var/log/audit/audit.log none

Description Milan Zázrivec 2011-01-27 13:29:13 UTC 
Created attachment 475605 [details]
grep denied /var/log/audit/audit.log

Description of problem:
jabberd (from EPEL), when setup to work with Spacewalk and osa-dispatcher
on latest RHEL-6 system, produces multiple SELinux jabberd_t - related
denials.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-67.el6 / jabberd-2.2.11-3.el6

How reproducible:
Always

Steps to Reproduce:
1. Install RHEL-6.1 + Spacewalk 1.3
2. Register a client to your Spacewalk, have osad running on it, use it
3. On the Spacewalk machine:
    grep denied /var/log/audit/audit.log
  
Actual results:
Multiple SELinux denials, see attachment.

Expected results:
No denials, jabberd is working as expected.

Additional info:
In RHEL-5, we (as in Spacewalk) used to maintain and ship our own jabber
policy module. Since RHEL-6 (and certain version of Fedora), the jabber
policy module is contained in selinux-policy.

Rigorous fix for the problem should land in selinux-policy.
Comment 2 Miroslav Grepl 2011-01-27 14:06:34 UTC 
Milane, 
how is labeled c2s?

# ls -lZ `which c2s`

# matchpathcon `which c2s`
Comment 3 Milan Zázrivec 2011-01-27 14:59:56 UTC 
(In reply to comment #2)
> Milane, 
> how is labeled c2s?
> 
> # ls -lZ `which c2s`

# ls -lZ `which c2s`
-rwxr-xr-x. root root system_u:object_r:jabberd_exec_t:s0 /usr/bin/c2s

> # matchpathcon `which c2s`

# matchpathcon `which c2s`
/usr/bin/c2s    system_u:object_r:jabberd_exec_t:s0
Comment 4 Miroslav Grepl 2011-01-27 15:09:28 UTC 
This is wrong. Is it a new installation?
Comment 5 Milan Zázrivec 2011-01-27 15:13:59 UTC 
This was a RHEL-6.0 installation, Spacewalk 1.3 installed on it, yum upgrade
to latest RHEL-6.1 nightly.
Comment 7 Milan Zázrivec 2011-01-27 15:25:23 UTC 
Correcting the component.
Comment 8 Daniel Walsh 2011-01-27 15:32:24 UTC 
 grep c2s policy-F13.patch 
+/usr/bin/c2s            --      gen_context(system_u:object_r:jabberd_router_exec_t,s0)


Looks like RHEL6.1 policy should have this labeled jabberd_router_exec_t?

Are you sure you have the updated 6.1 policy?
Comment 9 Miroslav Grepl 2011-01-27 15:36:27 UTC 
Yes, 
RHEL6 has definitely a new jabberd policy.
Comment 10 Milan Zázrivec 2011-01-27 15:55:49 UTC 
I had stock RHEL-6.0 installed, Spacewalk 1.3 installed and then upgraded
to latest RHEL-6.1 (including the latest selinux-policy).

The problem here (I think) is that the updated policy base module loading
failed during the package upgrade:

1:selinux-policy         ########################################### [ 50%]
2:selinux-policy-targeted########################################### [100%]
libsepol.scope_copy_callback: oracle-nofcontext: Duplicate declaration in module: type/attribute oracle_port_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!

and currently I still see:

# grep c2s  /etc/selinux/targeted/contexts/files/file_contexts
/usr/bin/c2s    --      system_u:object_r:jabberd_exec_t:s0

Spacewalk comes with its own oracle selinux policy module, which already
defined oracle_port_t type.
Comment 11 Daniel Walsh 2011-01-27 16:16:35 UTC 
Yes I was talking with adelton yesterday about this very issue.  Miroslav did you read the discussion?  I think we are going to have to rename our port to oracledb_port_T for the time being.
Comment 12 Jan Pazdziora (Red Hat) 2011-01-28 08:25:26 UTC 
(In reply to comment #10)
> I had stock RHEL-6.0 installed, Spacewalk 1.3 installed and then upgraded
> to latest RHEL-6.1 (including the latest selinux-policy).
> 
> The problem here (I think) is that the updated policy base module loading
> failed during the package upgrade:
> 
> 1:selinux-policy         ########################################### [ 50%]
> 2:selinux-policy-targeted########################################### [100%]
> libsepol.scope_copy_callback: oracle-nofcontext: Duplicate declaration in
> module: type/attribute oracle_port_t (No such file or directory).
> libsemanage.semanage_link_sandbox: Link packages failed (No such file or
> directory).
> semodule:  Failed!

Heya Milan,

please try to install RHEL 6.1 selinux-policy-targeted before installing Spacewalk, and then install oracle-nofcontext-selinux from https://koji.spacewalkproject.org/koji/buildinfo?buildID=20959. It addresses the oracle_port_t issue.
Comment 13 Miroslav Grepl 2011-02-07 15:41:04 UTC 
Fixed in selinux-policy-3.7.19-69.el6
Comment 15 Šimon Lukašík 2011-02-22 10:08:34 UTC 
Note: Spacewalk-nightly installation test has been changed to remove
jabberd-selinux-workaround when having selinux-policy equal or newer
to 3.7.19-69.el6

http://cvs.devel.redhat.com/cgi-bin/cvsweb.cgi/tests/RHN-Satellite/rhn-satellite-install.sh.diff?r1=1.269;r2=1.272;f=h
Comment 19 errata-xmlrpc 2011-05-19 11:57:28 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html