Bug 1003012

The same problem appears when following daemons are executed by systemd:
 * /usr/sbin/in.rexecd
 * /usr/sbin/in.rlogind

The list of daemons executed by systemd and running as init_t:
 * /usr/sbin/in.rexecd
 * /usr/sbin/in.rlogind
 * /usr/sbin/in.telnetd
 * /usr/sbin/in.authd

Following services can be executed by systemd when a TCP connection is established to their port:

# pwd
/usr/lib/systemd/system
# grep -i -e "listenstream=[0-9]" -e "listendatagram=[0-9]" *.socket
amanda.socket:ListenStream=10080
amanda-udp.socket:ListenDatagram=10080
auth.socket:ListenStream=113
btimed.socket:ListenDatagram=23456
cups-lpd.socket:ListenStream=515
cvs.socket:ListenStream=2401
dovecot.socket:ListenStream=0.0.0.0:143
dovecot.socket:ListenStream=0.0.0.0:993
eklogin.socket:ListenStream=2105
ekrb5-telnet.socket:ListenStream=23
ekshell.socket:ListenStream=544
finger.socket:ListenStream=79
git.socket:ListenStream=9418
gssftp.socket:ListenStream=21
klogin.socket:ListenStream=543
krb5-telnet.socket:ListenStream=23
kshell.socket:ListenStream=544
ntalk.socket:ListenDatagram=0.0.0.0:518
qarshd.socket:ListenStream=5008
rexec.socket:ListenStream=512
rlogin.socket:ListenStream=513
rsh.socket:ListenStream=514
rsyncd.socket:ListenStream=873
sshd.socket:ListenStream=22
systemd-journal-gatewayd.socket:ListenStream=19531
telnet.socket:ListenStream=23
tftp.socket:ListenDatagram=69
#

Manual tests (see Steps to Reproduce in comment#0), which I did on a fresh RHEL-7 machine provided by beaker, showed that only following services run under correct SELinux context:
dovecot.socket
finger.socket
gssftp.socket
qarshd.socket
sshd.socket
tftp.socket

# ls -Z /usr/lib/systemd/system/ntalk*
-rw-r--r--. root root system_u:object_r:systemd_unit_file_t:s0 /usr/lib/systemd/system/ntalk.service
-rw-r--r--. root root system_u:object_r:systemd_unit_file_t:s0 /usr/lib/systemd/system/ntalk.socket

so we don't have support for these unit files. Could you check labels also for others where you see it does not work.

I don't think the problem is caused by incorrect labelling of unit files because amanda and cups-lpd run as init_t even if their unit files are labelled correctly. On the other hand dovecot and finger daemons run under correct context even if their unit files are not labelled correctly.

-rw-r--r--. root root system_u:object_r:amanda_unit_file_t:s0 amanda.socket
-rw-r--r--. root root system_u:object_r:cupsd_unit_file_t:s0 cups-lpd.socket
-rw-r--r--. root root system_u:object_r:systemd_unit_file_t:s0 dovecot.socket
-rw-r--r--. root root system_u:object_r:systemd_unit_file_t:s0 finger.socket

Yes, I probably see also another bug related to this issue. I am investigating it.

Ok, I was able to fix it for talk-server.

# nc --udp 127.0.0.1 518test
test

$ ps -eZ |grep ktalk
system_u:system_r:ktalkd_t:s0   14721 ?        00:00:00 in.ntalkd

$ ps -eZ |grep init
system_u:system_r:init_t:s0         1 ?        00:00:16 systemd


commit 7551ae747a485e95e965a05ba9bd3866b58205aa
Author: Miroslav Grepl <mgrepl>
Date:   Mon Sep 2 15:15:42 2013 +0200

    Make ktalk as init domain

diff --git a/ktalk.te b/ktalk.te
index 8da4d5d..1166856 100644
--- a/ktalk.te
+++ b/ktalk.te
@@ -7,6 +7,7 @@ policy_module(ktalk, 1.8.1)
 
 type ktalkd_t;
 type ktalkd_exec_t;
+init_daemon_domain(ktalkd_t, ktalkd_exec_t)
 inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t)

Adding fixes for others.

6804babd35f27f71fb799be631e6bd2119e889ab fixes this in git.

bed107b183700a0277093de44e59f041dc146408 fixes this in git.

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.