Bug 1166537
Summary: | virt-who runs as unconfined_service_t | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Patrik Kis <pkis> | |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 7.1 | CC: | lvrabec, mgrepl, mmalik, pkis, plautrba, pvrabec | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-3.13.1-11.el7 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1167201 (view as bug list) | Environment: | ||
Last Closed: | 2015-03-05 10:47:14 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1061797, 1167201 |
Description
Patrik Kis
2014-11-21 08:09:04 UTC
Could you label them as virtd_exec_t? It should work. # chcon -t virtd_exec_t /usr/share/virt-who/virtwho.py (In reply to Miroslav Grepl from comment #1) > Could you label them as virtd_exec_t? It should work. > > # chcon -t virtd_exec_t /usr/share/virt-who/virtwho.py Does not really help: # ls -Z /usr/share/virt-who/virtwho.py -rw-r--r--. root root system_u:object_r:usr_t:s0 /usr/share/virt-who/virtwho.py # ps -efZ |grep -v grep |grep virt-who system_u:system_r:unconfined_service_t:s0 root 155680 1 0 05:49 ? 00:00:00 /usr/bin/python /usr/share/virt-who/virtwho.py # # # chcon -t virtd_exec_t /usr/share/virt-who/virtwho.py # ls -Z /usr/share/virt-who/virtwho.py -rw-r--r--. root root system_u:object_r:virtd_exec_t:s0 /usr/share/virt-who/virtwho.py # systemctl restart virt-who # ps -efZ |grep -v grep |grep virt-who system_u:system_r:unconfined_service_t:s0 root 155799 1 24 05:52 ? 00:00:00 /usr/bin/python /usr/share/virt-who/virtwho.py Yes, because of /usr/bin/python /usr/share/virt-who/virtwho.py They will need to add a helper script which will run it. Then we can label this helper script to make it working. Patrick, I meant chcon -t virtd_exec_t /usr/bin/virt-who (In reply to Miroslav Grepl from comment #4) > Patrick, > I meant > > chcon -t virtd_exec_t /usr/bin/virt-who # chcon -t virtd_exec_t /usr/bin/virt-who # ls -Z /usr/share/virt-who/virtwho.py /usr/bin/virt-who -rwxr-xr-x. root root system_u:object_r:virtd_exec_t:s0 /usr/bin/virt-who -rw-r--r--. root root system_u:object_r:usr_t:s0 /usr/share/virt-who/virtwho.py # systemctl restart virt-who # ps -efZ |grep -v grep |grep virt-who system_u:system_r:virtd_t:s0-s0:c0.c1023 root 36812 1 8 04:58 ? 00:00:00 /usr/bin/python /usr/share/virt-who/virtwho.py commit c473d3c66aef2bd32ff980ddbbe7edefae5fcc86 Author: Miroslav Grepl <mgrepl> Date: Mon Nov 24 10:47:15 2014 +0100 label virt-who as virtd_exec_t. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0458.html |