Bug 193927
Summary: | "cimserver -s" fails if SELinux policies are inactive | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Denise Eckstein <denise.eckstein> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4.0 | CC: | jvdias |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | u4 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-08-22 14:15:08 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Denise Eckstein
2006-06-02 23:39:56 UTC
"cimserver -v" also fails if the OpenPegasus SELinux policies are inactive. RE: Test Case 1B : No process running out of 'unconfined_t' is allowed to write to the terminal device, so you don't see the 'CIM Server stopped' message. This is expected. If you had done: # cimserver -s | cat you would see the 'CIM Server stopped' message in this scenario. RE: Test Case 1C : Yes, this would appear to be a bug in the SELinux policy - we'd need to add 'allow pegasus_t initrc_t:unix_stream_socket connectto;' for this, or make cimserver NOT transition into initrc_t when run from the initscript. Actually, one would expect with 'pegasus_disable_trans=true' that either: A) running /usr/sbin/cimserver from the command line would not transition into pegasus_t or B) running cimserver from the initscript would still transition cimserver into pegasus_t, so that the command line 'cimserver -s' would still succeed. It would appear that all is not working correctly with the 'pegasus_disable_trans=true' setting - please could the SELinux maintainers take a look at this - thanks! Currently the disable_trans only works for initscripts. If the code is specially defined to transition from unconfined, we are not using the boolean. I think this is a minor bug and should be put off until U5 I don't see why you want 'allow pegasus_t initrc_t:unix_stream_socket connectto;' This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. This problem appears to be resolved in RHEL4 U4. Thanks, Denise |