Bug 1037475

Summary: ipmidetectd runs as init_t
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: mgrepl, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-110.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 12:53:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 877026    
Bug Blocks: 848829, 1042755    

Description Milos Malik 2013-12-03 09:12:40 UTC 
Description of problem:
 * ipmidetectd uses too powerful SELinux domain

Version-Release number of selected component (if applicable):
freeipmi-ipmidetectd-1.2.9-2.el7.x86_64
selinux-policy-3.12.1-105.el7.noarch
selinux-policy-devel-3.12.1-105.el7.noarch
selinux-policy-doc-3.12.1-105.el7.noarch
selinux-policy-minimum-3.12.1-105.el7.noarch
selinux-policy-mls-3.12.1-105.el7.noarch
selinux-policy-targeted-3.12.1-105.el7.noarch

How reproducible:
always

Steps to Reproduce:
# echo "host 127.0.0.1" >> /etc/freeipmi/ipmidetectd.conf
# service ipmidetectd status
Redirecting to /bin/systemctl status  ipmidetectd.service
ipmidetectd.service - IPMI Node Detection Monitoring Daemon
   Loaded: loaded (/usr/lib/systemd/system/ipmidetectd.service; disabled)
   Active: failed (Result: exit-code) since Tue 2013-12-03 10:07:51 CET; 3min 4s ago
  Process: 14560 ExecStart=/usr/sbin/ipmidetectd (code=exited, status=1/FAILURE)
 Main PID: 14208 (code=exited, status=1/FAILURE)

Dec 03 10:07:51 rhel70 ipmidetectd[14560]: ipmidetectd: No nodes configured
Dec 03 10:07:51 rhel70 systemd[1]: ipmidetectd.service: control process exi...=1
Dec 03 10:07:51 rhel70 systemd[1]: Failed to start IPMI Node Detection Moni...n.
Dec 03 10:07:51 rhel70 systemd[1]: Unit ipmidetectd.service entered failed ...e.
Hint: Some lines were ellipsized, use -l to show in full.
# service ipmidetectd start
Redirecting to /bin/systemctl start  ipmidetectd.service
# service ipmidetectd status
Redirecting to /bin/systemctl status  ipmidetectd.service
ipmidetectd.service - IPMI Node Detection Monitoring Daemon
   Loaded: loaded (/usr/lib/systemd/system/ipmidetectd.service; disabled)
   Active: active (running) since Tue 2013-12-03 10:10:58 CET; 919ms ago
  Process: 14724 ExecStart=/usr/sbin/ipmidetectd (code=exited, status=0/SUCCESS)
 Main PID: 14726 (ipmidetectd)
   CGroup: /system.slice/ipmidetectd.service
           └─14726 /usr/sbin/ipmidetectd

Dec 03 10:10:58 rhel70 systemd[1]: Starting IPMI Node Detection Monitoring .....
Dec 03 10:10:58 rhel70 systemd[1]: Started IPMI Node Detection Monitoring D...n.
Hint: Some lines were ellipsized, use -l to show in full.
# ps -efZ | grep ipmidetectd
system_u:system_r:init_t:s0     root     14726     1  0 10:10 ?        00:00:00 /usr/sbin/ipmidetectd
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 14749 12632  0 10:11 pts/1 00:00:00 grep --color=auto ipmidetectd
#

Actual results:
 * ipmidetectd runs as init_t

Expected results:
 * ipmidetectd runs in its own SELinux domain
Comment 1 Miroslav Grepl 2013-12-10 13:29:45 UTC 
commit dee0ab128c1730828e041645811da995a2929f0b
Author: Miroslav Grepl <mgrepl>
Date:   Thu Dec 5 17:11:53 2013 +0100

    Add policy for freeipmi services
Comment 4 Miroslav Grepl 2013-12-12 14:00:31 UTC 
subj=system_u:system_r:freeipmi_ipmidetectd_t:s0 key=(null)
type=AVC msg=audit(1386839724.301:912): avc:  denied  { name_bind } for  pid=8622 comm="ipmidetectd" src=9225 scontext=system_u:system_r:freeipmi_ipmidetectd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket

Milos,
is this a default port?
Comment 5 Milos Malik 2013-12-12 15:07:30 UTC 
Excerpt from ipmidetectd.conf man page:

       ipmidetectd_server_port port
              Specify the alternate default port the ipmidetectd server
              should listen for requests off of. Default is 9225.
Comment 6 Miroslav Grepl 2013-12-12 15:14:42 UTC 
Thanks.
Comment 9 Ludek Smid 2014-06-13 12:53:49 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.