Bug 189584
Summary: | Not able to create new namespaces with selinux set to enforced on RHEL 4 U2 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Ramesh Hegde <rameshh> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 4.0 | CC: | dwalsh, james.antill, jvdias |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | RHBA-2006-0373 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-08-10 21:21:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 181409 |
Description
Ramesh Hegde
2006-04-21 12:31:56 UTC
Fixed in errata: 1.17.30-2.133 Unfortunately, this bug is not quite fixed yet. Now that the upstream OpenPegasus have fixed their upstream bug 4968 , allowing CMPI Providers to run with 'forceProviderProcesses=true', the HP testing of the proposed RHEL-4 tog-pegasus release has turned up some more AVCs, when running with 'forceProviderProcesses=true' and accessing CMPI providers: 1. cimserver and cimprovagt need to be able to do 'chown' . ' allow pegasus_t self:capability chown; ' When pegasus LocalAuthentication is being used for clients connecting over the /var/run/tog-pegasus/cimxml.socket UNIX socket, cimserver will create a /var/lib/Pegasus/cache/localauth/user-${cookie} file, and "chown" that file to the uid of the requesting user, making it have mode 0400 ; then the requesting user process must read the contents of that file, and report them back to the cimserver to gain access. 2. cimserver cannot talk to cimprovagt CMPI Providers, which can attempt to connect back to the server using the /var/run/tog-pegasus/cimxml.socket UNIX socket: ' allow pegasus_t self:unix_stream_socket connectto; ' avc: denied { connectto } for pid=xxxx comm="cimprovagt" name="cimxml.socket" context=root:system_r:pegasus_t tcontext=root:system_r:pegasus_t tclass=unix_stream_socket cimprovagt must be able to connectto, read, and write the /var/run/tog-pegasus/cimxml.socket . 3. When running cimprovagt for the sblim-cmpi-base providers, cimprovagt may need to talk to other processes on FIFO pipes: ' allow pegasus_t unconfined_t:fifo_file read; ' Please can we try to get this extra policy into RHEL-4-U4, as HP's pegasus testing depends on it - thanks, Jason. Another issue HP raised is that when cimserver is not run from the initscript, it runs in 'root:system_r:unconfined_t' context; only when run from the initscript does it run in context root:system_r:pegasus_t . This can lead to inconsitent behavior and user confusion, as many pegasus users are used to starting the cimserver manually with the 'cimserver' command. Please can we make cimserver transition into pegasus_t when run from the command line - thanks, Jason. Problem with running the scripts in userspace is you end up needing to output to the terminal which is not allowed in the default policy (I believe), Also if you do something like cimserver > ~/pegasus.out It will fail because pegasus is not allow to write to users homedirs. This confusion is why we don't transition from unconfined to pegasus_t only from initrc_t. Httpd, bind, ntpd ... all work the same. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2006-0373.html |