Bug 1003012
Summary: | in.ntalkd runs as init_t when ntalk.socket is active | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Milos Malik <mmalik> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | CC: | dwalsh, mgrepl |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.12.1-77.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-13 10:00:53 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1004161 |
Description
Milos Malik
2013-08-30 13:32:31 UTC
The same problem appears when following daemons are executed by systemd: * /usr/sbin/in.rexecd * /usr/sbin/in.rlogind The list of daemons executed by systemd and running as init_t: * /usr/sbin/in.rexecd * /usr/sbin/in.rlogind * /usr/sbin/in.telnetd * /usr/sbin/in.authd Following services can be executed by systemd when a TCP connection is established to their port: # pwd /usr/lib/systemd/system # grep -i -e "listenstream=[0-9]" -e "listendatagram=[0-9]" *.socket amanda.socket:ListenStream=10080 amanda-udp.socket:ListenDatagram=10080 auth.socket:ListenStream=113 btimed.socket:ListenDatagram=23456 cups-lpd.socket:ListenStream=515 cvs.socket:ListenStream=2401 dovecot.socket:ListenStream=0.0.0.0:143 dovecot.socket:ListenStream=0.0.0.0:993 eklogin.socket:ListenStream=2105 ekrb5-telnet.socket:ListenStream=23 ekshell.socket:ListenStream=544 finger.socket:ListenStream=79 git.socket:ListenStream=9418 gssftp.socket:ListenStream=21 klogin.socket:ListenStream=543 krb5-telnet.socket:ListenStream=23 kshell.socket:ListenStream=544 ntalk.socket:ListenDatagram=0.0.0.0:518 qarshd.socket:ListenStream=5008 rexec.socket:ListenStream=512 rlogin.socket:ListenStream=513 rsh.socket:ListenStream=514 rsyncd.socket:ListenStream=873 sshd.socket:ListenStream=22 systemd-journal-gatewayd.socket:ListenStream=19531 telnet.socket:ListenStream=23 tftp.socket:ListenDatagram=69 # Manual tests (see Steps to Reproduce in comment#0), which I did on a fresh RHEL-7 machine provided by beaker, showed that only following services run under correct SELinux context: dovecot.socket finger.socket gssftp.socket qarshd.socket sshd.socket tftp.socket # ls -Z /usr/lib/systemd/system/ntalk* -rw-r--r--. root root system_u:object_r:systemd_unit_file_t:s0 /usr/lib/systemd/system/ntalk.service -rw-r--r--. root root system_u:object_r:systemd_unit_file_t:s0 /usr/lib/systemd/system/ntalk.socket so we don't have support for these unit files. Could you check labels also for others where you see it does not work. I don't think the problem is caused by incorrect labelling of unit files because amanda and cups-lpd run as init_t even if their unit files are labelled correctly. On the other hand dovecot and finger daemons run under correct context even if their unit files are not labelled correctly. -rw-r--r--. root root system_u:object_r:amanda_unit_file_t:s0 amanda.socket -rw-r--r--. root root system_u:object_r:cupsd_unit_file_t:s0 cups-lpd.socket -rw-r--r--. root root system_u:object_r:systemd_unit_file_t:s0 dovecot.socket -rw-r--r--. root root system_u:object_r:systemd_unit_file_t:s0 finger.socket Yes, I probably see also another bug related to this issue. I am investigating it. Ok, I was able to fix it for talk-server. # nc --udp 127.0.0.1 518test test $ ps -eZ |grep ktalk system_u:system_r:ktalkd_t:s0 14721 ? 00:00:00 in.ntalkd $ ps -eZ |grep init system_u:system_r:init_t:s0 1 ? 00:00:16 systemd commit 7551ae747a485e95e965a05ba9bd3866b58205aa Author: Miroslav Grepl <mgrepl> Date: Mon Sep 2 15:15:42 2013 +0200 Make ktalk as init domain diff --git a/ktalk.te b/ktalk.te index 8da4d5d..1166856 100644 --- a/ktalk.te +++ b/ktalk.te @@ -7,6 +7,7 @@ policy_module(ktalk, 1.8.1) type ktalkd_t; type ktalkd_exec_t; +init_daemon_domain(ktalkd_t, ktalkd_exec_t) inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t) Adding fixes for others. 6804babd35f27f71fb799be631e6bd2119e889ab fixes this in git. bed107b183700a0277093de44e59f041dc146408 fixes this in git. This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |