Bug 2111030

Summary: selinux-policy-targeted doesn't know about stalld
Product: Red Hat Enterprise Linux 8 Reporter: Jiří Mencák <jmencak>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: low    
Version: 8.6CC: cchen, lvrabec, mmalik, ssekidde, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-29 13:04:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2110932    

Description Jiří Mencák 2022-07-26 11:14:29 UTC 
Description of problem:
https://gitlab.com/rt-linux-tools/stalld is a RHEL-shipped program to prevent the starvation of operating system threads in a Linux system.  When stalld is started via "systemctl start stalld", it will run as unconfined process.

Version-Release number of selected component (if applicable):
Current RHEL 8.6, 8.4

How reproducible:
Always

Steps to Reproduce:
1. yum install stalld
2. systemctl start stalld
3. ps -eZ|grep stalld

Actual results:
system_u:system_r:unconfined_service_t:s0 4186086 ? 00:00:00 stalld

Expected results (Fedora 36 box):
system_u:system_r:stalld_t:s0     99487 ?        00:00:00 stalld

Additional info:
On Fedora 36:
[root@b200 selinux]# grep -ri stalld /etc/selinux
/etc/selinux/targeted/active/file_contexts:/var/run/stalld.pid  --      system_u:object_r:stalld_var_run_t:s0
/etc/selinux/targeted/active/file_contexts:/usr/lib/systemd/system/stalld.*     --      system_u:object_r:stalld_unit_file_t:s0
/etc/selinux/targeted/active/file_contexts:/usr/bin/stalld      --      system_u:object_r:stalld_exec_t:s0
grep: /etc/selinux/targeted/active/policy.kern: binary file matches
grep: /etc/selinux/targeted/active/policy.linked: binary file matches
/etc/selinux/targeted/contexts/files/file_contexts:/var/run/stalld.pid  --      system_u:object_r:stalld_var_run_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/lib/systemd/system/stalld.*     --      system_u:object_r:stalld_unit_file_t:s0
/etc/selinux/targeted/contexts/files/file_contexts:/usr/bin/stalld      --      system_u:object_r:stalld_exec_t:s0
grep: /etc/selinux/targeted/contexts/files/file_contexts.bin: binary file matches
grep: /etc/selinux/targeted/policy/policy.33: binary file matches
[root@b200 selinux]# rpm -qf /etc/selinux/targeted/contexts/files/file_contexts
selinux-policy-targeted-36.10-1.fc36.noarch

https://bugzilla.redhat.com/show_bug.cgi?id=2110932
Comment 1 Zdenek Pytela 2022-07-26 15:34:32 UTC 
This actually is a dup of https://bugzilla.redhat.com/show_bug.cgi?id=1891428 which has been closed WONTFIX. We can go through it again later this week.

Similar bz for RHEL 9 https://bugzilla.redhat.com/show_bug.cgi?id=2042614 is VERIFIED.
One open problem remains in https://bugzilla.redhat.com/show_bug.cgi?id=2105038
Comment 2 Chen 2022-07-27 01:25:21 UTC 
Hi Zdenek,

Thanks a lot for your reply!

One of the OpenShift Compliance Operator rules is "Ensure No Daemons are Unconfined by SELinux" which checks whether there is any service running as unconfined_service_t type. Due to this bug the compliance check can not be passed. OpenShift 4.10 (which is currently the newest version of OCP) is based on RHEL 8.6 so if we decided to fix the issue perhaps we need also backport this to RHEL 8.6.

Thanks again!

Best Regards,
Chen
Comment 3 Zdenek Pytela 2022-07-29 13:04:02 UTC 
After the discussion in SELinux team we decided to close this bz as putting a new policy to RHEL in the middle of development cycle
can have undesirable effects, additionally in backporting via z-stream there is a high regression risk.

In RHEL 9.1 the stalld service will be confined, actually it should already be available in CentOS stream.

*** This bug has been marked as a duplicate of bug 1891428 ***