Bug 1004279

Summary: kshd runs as init_t when kshell.socket is active
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: dwalsh, mgrepl, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-76.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 12:50:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1004161    

Description Milos Malik 2013-09-04 10:26:53 UTC 
Description of problem:

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-73.el7.noarch
selinux-policy-devel-3.12.1-73.el7.noarch
selinux-policy-doc-3.12.1-73.el7.noarch
selinux-policy-minimum-3.12.1-73.el7.noarch
selinux-policy-mls-3.12.1-73.el7.noarch
selinux-policy-targeted-3.12.1-73.el7.noarch
krb5-appl-servers-1.0.3-7.el7.x86_64

How reproducible:
always

Steps to Reproduce:
# systemctl enable kshell.socket
ln -s '/usr/lib/systemd/system/kshell.socket' '/etc/systemd/system/sockets.target.wants/kshell.socket'
# systemctl start kshell.socket
# systemctl status kshell.socket
kshell.socket - Kerberos-aware Rshell Server Activation Socket
   Loaded: loaded (/usr/lib/systemd/system/kshell.socket; enabled)
   Active: active (listening) since Wed 2013-09-04 12:22:40 CEST; 11s ago
   Listen: [::]:544 (Stream)
 Accepted: 0; Connected: 0

Sep 04 12:22:40 rhel70 systemd[1]: Starting Kerberos-aware Rshell Server Ac...t.
Sep 04 12:22:40 rhel70 systemd[1]: Listening on Kerberos-aware Rshell Serve...t.
# nc -v 127.0.0.1 544
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connected to 127.0.0.1:544.
^Z
[1]+  Stopped                 nc -v 127.0.0.1 544
# ps -efZ | grep kshd
system_u:system_r:init_t:s0     root     22014     1  0 12:23 ?        00:00:00 /usr/kerberos/sbin/kshd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 22016 24725  0 12:23 pts/0 00:00:00 grep --color=auto kshd
# fg
nc -v 127.0.0.1 544
^C
# 

Actual results:
 * kshd process is not labelled correctly

Expected results:
 * kshd process is labelled correctly
Comment 1 Milos Malik 2013-09-04 11:48:58 UTC 
This bug talks about the kerberized version of rshell server.

# matchpathcon /usr/kerberos/sbin/kshd 
/usr/kerberos/sbin/kshd	system_u:object_r:rshd_exec_t:s0
# rpm -qf /usr/kerberos/sbin/kshd 
krb5-appl-servers-1.0.3-7.el7.x86_64
# 

I believe that the fix will also solve the same problem of the original rshell server, because the files are labelled similarly.

# matchpathcon /usr/sbin/in.rshd 
/usr/sbin/in.rshd	system_u:object_r:rshd_exec_t:s0
# rpm -qf /usr/sbin/in.rshd 
rsh-server-0.17-73.el7.x86_64
#
Comment 2 Daniel Walsh 2013-09-04 12:53:44 UTC 
All of these bugs look related, and we need to make sure there is not a labelling issue.
Comment 3 Milos Malik 2013-09-04 12:55:25 UTC 
# ls -Z /usr/kerberos/sbin/kshd 
-rwxr-xr-x. root root system_u:object_r:rshd_exec_t:s0 /usr/kerberos/sbin/ksh
#
Comment 4 Miroslav Grepl 2013-09-04 12:57:08 UTC 
Actually the problem with all these bugs is we miss init domain for these inetd domain.
Comment 6 Ludek Smid 2014-06-13 12:50:53 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.