Bug 1574658

Summary: [daemon rename] pacemaker-remote package: /usr/sbin/pacemaker_remoted -> /usr/sbin/pacemaker-remoted
Product: [Fedora] Fedora Reporter: Jan Pokorný [poki] <jpokorny>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: dwalsh, kgaillot, lvrabec, mgrepl, plautrba, pmoore
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.2-34.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1575082 (view as bug list) Environment:
Last Closed: 2018-09-12 02:58:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1575082    

Description Jan Pokorný [poki] 2018-05-03 19:03:04 UTC 
As of pacemaker-2.0.0-0.1.rc3.fc29, there is now a daemon binary
renamed and that causes this change in the run-time (process-based)
context:

-system_u:system_r:cluster_t:s0
+system_u:system_r:unconfined_service_t:s0

It is anticipated this may be harmful though no malfunction nor AVC
was observed with a super-shallow test run.


File-based changes:

* before:

  - /usr/sbin/pacemaker_remoted
    . immediate binary executable
    . system_u:object_r:cluster_exec_t:s0

* after:

  - /usr/sbin/pacemaker_remoted
    . compatibility symlink to pacemaker-remoted
    . system_u:object_r:bin_t:s0
      (so it looks like file type regular/symlink
       matters wrt. auto-labelling)

  - /usr/sbin/pacemaker-remoted
    . immediate binary executable
    . system_u:object_r:bin_t:s0


What we expect:

  - if "pacemaker remote service" is launched from either location,
    it should run as system_u:system_r:cluster_t:s0 once again


From Fedora perspective, it's enough to have this addressed
in time for F29.

Please let me know if any further clarification is needed.
Comment 1 Jan Kurik 2018-08-14 11:19:35 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle.
Changing version to '29'.
Comment 2 Fedora Update System 2018-09-11 12:52:17 UTC 
selinux-policy-3.14.2-34.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db240a1726
Comment 3 Fedora Update System 2018-09-12 02:58:38 UTC 
selinux-policy-3.14.2-34.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.