Bug 1026216
| Summary: | sfcbd runs as init_t | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | ||
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 12:13:32 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 877026 | ||
| Bug Blocks: | 848829, 1042749 | ||
Probably will be a part of sblim policy. commit 3a0b5c5e947ae195878e453bbeba2e9c55de593c
Author: Lukas Vrabec <lvrabec>
Date: Tue Nov 5 15:54:37 2013 +0100
Added more rules to sblim policy
commit ed0b346264645192932409fde539da10508fc8c1
Author: Lukas Vrabec <lvrabec>
Date: Tue Nov 5 14:18:35 2013 +0100
Included sfcbd service into sblim policy
commit c0f8384b846084e420dd7a1a87e7ffedf31245e0
Author: Lukas Vrabec <lvrabec>
Date: Thu Nov 7 11:20:14 2013 +0100
Rename sblim_tmpfs_t to sblim_sfcb_tmpfs_t and move rules with sblim_sfcb_tmpfs_t to sblim_sfcbd_t subpolicy
commit 4d53299b919baade2df3041e36b277502c1ab5b8
Author: Lukas Vrabec <lvrabec>
Date: Thu Nov 7 10:14:47 2013 +0100
Added sblim_tmpfs_t type in sblim policy
commit 4c4d23ac3fec6bbae8ddc7ebc9b105fe40eb993e
Author: Lukas Vrabec <lvrabec>
Date: Fri Nov 22 12:46:50 2013 +0100
Allow sblim_sfcbd_t to read from /dev/random and /dev/urandom
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Description of problem: Version-Release number of selected component (if applicable): sblim-sfcb-1.3.16-7.el7.x86_64 selinux-policy-3.12.1-95.el7.noarch selinux-policy-devel-3.12.1-95.el7.noarch selinux-policy-doc-3.12.1-95.el7.noarch selinux-policy-minimum-3.12.1-95.el7.noarch selinux-policy-mls-3.12.1-95.el7.noarch selinux-policy-targeted-3.12.1-95.el7.noarch How reproducible: always Steps to Reproduce: # service sblim-sfcb status Redirecting to /bin/systemctl status sblim-sfcb.service sblim-sfcb.service - Small Footprint CIM Broker Service Loaded: loaded (/usr/lib/systemd/system/sblim-sfcb.service; disabled) Active: inactive (dead) Nov 04 09:35:06 rhel70 sfcbd[16140]: --- localConnectServer ended Nov 04 09:35:06 rhel70 sfcbd[16140]: --- Stopping adapters Nov 04 09:35:06 rhel70 sfcbd[16140]: --- HTTP-Daemon terminating 16143 Nov 04 09:35:06 rhel70 sfcbd[16140]: --- Adapters stopped Nov 04 09:35:06 rhel70 sfcbd[16140]: --- Stopping providers Nov 04 09:35:06 rhel70 sfcbd[16140]: --- stopped InternalProvider 16160 Nov 04 09:35:06 rhel70 sfcbd[16140]: --- stopped InteropProvider 16157 Nov 04 09:35:06 rhel70 sfcbd[16140]: --- stopped ClassProvider 16144 Nov 04 09:35:06 rhel70 sfcbd[16140]: --- Providers stopped Nov 04 09:35:06 rhel70 systemd[1]: Stopped Small Footprint CIM Broker Service. # service sblim-sfcb start Redirecting to /bin/systemctl start sblim-sfcb.service # service sblim-sfcb status Redirecting to /bin/systemctl status sblim-sfcb.service sblim-sfcb.service - Small Footprint CIM Broker Service Loaded: loaded (/usr/lib/systemd/system/sblim-sfcb.service; disabled) Active: active (running) since Mon 2013-11-04 09:35:16 CET; 2s ago Main PID: 16229 (sfcbd) CGroup: /system.slice/sblim-sfcb.service ├─16229 /usr/sbin/sfcbd ├─16230 /usr/sbin/sfcbd ├─16232 /usr/sbin/sfcbd ├─16233 /usr/sbin/sfcbd ├─16235 /usr/sbin/sfcbd ├─16238 /usr/sbin/sfcbd └─16242 /usr/sbin/sfcbd Nov 04 09:35:16 rhel70 sfcbd[16229]: --- Collating namespaces for registrat...ry Nov 04 09:35:16 rhel70 sfcbd[16229]: --- initSocketPairs: 64 Nov 04 09:35:16 rhel70 sfcbd[16229]: --- localConnectServer started Nov 04 09:35:16 rhel70 sfcbd[16229]: --- Max Http procs: 8 Nov 04 09:35:16 rhel70 sfcbd[16229]: --- sfcbd HTTP Daemon V1.3.16 configur...32 Nov 04 09:35:16 rhel70 sfcbd[16229]: --- sfcbd HTTP Daemon V1.3.16 configur...32 Nov 04 09:35:16 rhel70 sfcbd[16229]: --- Using Basic Authentication Nov 04 09:35:16 rhel70 sfcbd[16229]: --- Select timeout: 5 seconds Nov 04 09:35:16 rhel70 sfcbd[16229]: --- Keep-alive timeout: 15 seconds Nov 04 09:35:16 rhel70 sfcbd[16229]: --- Maximum requests per connection: 10 Hint: Some lines were ellipsized, use -l to show in full. # ps -efZ | grep sfcbd system_u:system_r:init_t:s0 root 16229 1 0 09:35 ? 00:00:00 /usr/sbin/sfcbd system_u:system_r:init_t:s0 root 16230 16229 0 09:35 ? 00:00:00 /usr/sbin/sfcbd system_u:system_r:init_t:s0 root 16232 16229 0 09:35 ? 00:00:00 /usr/sbin/sfcbd system_u:system_r:init_t:s0 root 16233 16229 0 09:35 ? 00:00:00 /usr/sbin/sfcbd system_u:system_r:init_t:s0 root 16235 16229 0 09:35 ? 00:00:00 /usr/sbin/sfcbd system_u:system_r:init_t:s0 root 16238 16229 0 09:35 ? 00:00:00 /usr/sbin/sfcbd system_u:system_r:init_t:s0 root 16242 16229 0 09:35 ? 00:00:00 /usr/sbin/sfcbd unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 16261 16042 0 09:35 pts/0 00:00:00 grep --color=auto sfcbd # Actual results: * sfcbd runs as init_t Expected results: * sfcbd runs in its own SELinux domain