Bug 193927

Summary: "cimserver -s" fails if SELinux policies are inactive
Product: Red Hat Enterprise Linux 4 Reporter: Denise Eckstein <denise.eckstein>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: jvdias
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: u4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-08-22 14:15:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Denise Eckstein 2006-06-02 23:39:56 UTC 
Description of problem:
"cimserver -s" does not work as expected when SELinux policies are inactive.

Version-Release number of selected component (if applicable):
tog-pegasus-2.5.1-1.EL4

How reproducible:
Test cases 1B and 1C do not work as expected.

Steps to Reproduce:

Test Setup 1
setsebool pegasus_disable_trans true

Test Case 1A
service tog-pegasus start
service tog-pegasus stop
   Works correctly

Test Case 1B
cimserver
cimserver -s
   cimserver is stopped, but "CIM Server stopped." message is not displayed.

Test Case 1C
service tog-pegasus start
cimserver -s
   cimserver is not stopped, and "CIM Server stopped." message is not 
displayed.

Test Setup 2
setsebool pegasus_disable_trans false

Test Case 2A
service tog-pegasus start
service tog-pegasus stop
   Works correctly

Test Case 2B
cimserver
cimserver -s
   Works correctly

Test Case 2C
service tog-pegasus start
cimserver -s
   Works correctly


  
Actual results:


Expected results:


Additional info:
Comment 1 Denise Eckstein 2006-06-03 00:28:59 UTC 
"cimserver -v" also fails if the OpenPegasus SELinux policies are inactive.
Comment 2 Jason Vas Dias 2006-06-05 19:20:14 UTC 
RE: Test Case 1B :
  No process running out of 'unconfined_t' is allowed to write to the terminal 
  device, so you don't see the 'CIM Server stopped' message. This is expected.
  If you had done:
  # cimserver -s | cat
  you would see the 'CIM Server stopped' message in this scenario.

RE: Test Case 1C :
  Yes, this would appear to be a bug in the SELinux policy - we'd need to add
    'allow pegasus_t initrc_t:unix_stream_socket connectto;'
  for this, or make cimserver NOT transition into initrc_t when run from the
  initscript. 

  Actually, one would expect with 'pegasus_disable_trans=true' that either:
  A) running /usr/sbin/cimserver from the command line would not transition into
     pegasus_t
  or
  B) running cimserver from the initscript would still transition cimserver into
     pegasus_t, so that the command line 'cimserver -s' would still succeed.

It would appear that all is not working correctly with the 
'pegasus_disable_trans=true' setting - please could the SELinux maintainers
take a look at this - thanks!
Comment 3 Daniel Walsh 2006-06-06 14:42:42 UTC 
Currently the disable_trans only works for initscripts.  If the code is
specially defined to transition from unconfined, we are not using the boolean.

I think this is a minor bug and should be put off until U5

I don't see why you want     
'allow pegasus_t initrc_t:unix_stream_socket connectto;'
Comment 6 RHEL Program Management 2006-08-18 15:43:16 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 7 Denise Eckstein 2006-08-22 02:52:14 UTC 
This problem appears to be resolved in RHEL4 U4.

Thanks,
Denise