Bug 1212324
| Summary: | sanlk-resetd runs as unconfined_service_t | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Milos Malik <mmalik> | |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 7.1 | CC: | lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.13.1-69.el7 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1255307 (view as bug list) | Environment: | ||
| Last Closed: | 2016-11-04 02:18:27 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1255307 | |||
Does it come from the base installation? # rpm -qf /usr/sbin/sanlk-resetd sanlk-reset-3.2.2-2.el7.x86_64 # repoquery -qi sanlk-reset Name : sanlk-reset Version : 3.2.2 Release : 2.el7 Architecture: x86_64 Size : 46119 Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Group : System Environment/Base URL : https://fedorahosted.org/sanlock/ Repository : RHEL-7.1-Server-Optional Summary : Host reset daemon and client using sanlock Source : sanlock-3.2.2-2.el7.src.rpm Description : The sanlk-reset package contains the reset daemon and client. A cooperating host running the daemon can be reset by a host running the client, so long as both maintain access to a common sanlock lockspace. # Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2283.html |
Description of problem: * sanlk-resetd is not yet confined Version-Release number of selected component (if applicable): sanlk-reset-3.2.2-2.el7.x86_64 sanlock-3.2.2-2.el7.x86_64 sanlock-lib-3.2.2-2.el7.x86_64 sanlock-python-3.2.2-2.el7.x86_64 selinux-policy-3.13.1-24.el7.noarch selinux-policy-devel-3.13.1-24.el7.noarch selinux-policy-doc-3.13.1-24.el7.noarch selinux-policy-minimum-3.13.1-24.el7.noarch selinux-policy-mls-3.13.1-24.el7.noarch selinux-policy-sandbox-3.13.1-24.el7.noarch selinux-policy-targeted-3.13.1-24.el7.noarch How reproducible: always Steps to Reproduce: # ps -efZ | grep reset unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 3228 1900 0 09:35 pts/0 00:00:00 grep --color=auto reset # service sanlk-resetd start Redirecting to /bin/systemctl start sanlk-resetd.service # ps -efZ | grep reset system_u:system_r:unconfined_service_t:s0 root 3247 1 0 09:35 ? 00:00:00 /usr/sbin/sanlk-resetd unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 3251 1900 0 09:35 pts/0 00:00:00 grep --color=auto reset # service sanlk-resetd status Redirecting to /bin/systemctl status sanlk-resetd.service sanlk-resetd.service - daemon for host reset Loaded: loaded (/usr/lib/systemd/system/sanlk-resetd.service; disabled) Active: active (running) since Thu 2015-04-16 09:35:13 CEST; 34s ago Process: 3246 ExecStart=/usr/sbin/sanlk-resetd (code=exited, status=0/SUCCESS) Main PID: 3247 (sanlk-resetd) CGroup: /system.slice/sanlk-resetd.service └─3247 /usr/sbin/sanlk-resetd Apr 16 09:35:13 rhel71.localdomain systemd[1]: Started daemon for host reset. Apr 16 09:35:13 rhel71.localdomain sanlk-resetd[3247]: sanlk-resetd 3.2.2 sta... Hint: Some lines were ellipsized, use -l to show in full. # Actual results: * sanlk-resetd runs as unconfined_service_t Expected results: * sanlk-resetd runs in a dedicated domain