Bug 472609

Summary: cimserver process requires "kill" access when PEGASUS_ENABLE_PRIVILEGE_SEPARATION enabled
Product: Red Hat Enterprise Linux 5 Reporter: Denise Eckstein <denise.eckstein>
Component: tog-pegasusAssignee: Vitezslav Crhonek <vcrhonek>
Status: CLOSED WONTFIX QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-03-05 16:33:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Denise Eckstein 2008-11-22 00:49:18 UTC 
Description of problem:

If the CIM Server is built with PEGASUS_ENABLE_PRIVILEGE_SEPARATION enabled, the cimserver process is split into two processes, cimserver and cimservermain.  cimservermain is the larger of the two processes and runs in a non-privileged context.  The cimserver process runs as a privileged users.

When "/etc/init.d/tog-pegasus stop" is called a SIGTERM is sent to the cimserver process.  The cimserver process is then responsible for killing the cimservermain process.

If SELinux is enabled, this operation fails with the following error.
Nov 19 09:28:23 bwindi setroubleshoot:      SELinux is preventing /usr/sbin/cimserver (pegasus_t) "kill" access to <Unknown> (pegasus_t).      For complete SELinux messages. run sealert -l 40aba5be-b6a3-4a61-8837-3c1b26836530

[root@bwindi log]# sealert -l 40aba5be-b6a3-4a61-8837-3c1b26836530
Summary
    SELinux is preventing /usr/sbin/cimserver (pegasus_t) "kill" access to
    <Unknown> (pegasus_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/cimserver. It is not expected
    that this access is required by /usr/sbin/cimserver and this access may
    signal an intrusion attempt. It is also possible that the specific version
    or configuration of the application is causing it to require additional
    access. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown>. There is currently no automatic way to allow this access.
    Instead, you can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
    disable SELinux protection entirely for the application. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
    Changing the "pegasus_disable_trans" boolean to true will disable SELinux
    protection this application: "setsebool -P pegasus_disable_trans=1."

    The following command will allow this access:
    setsebool -P pegasus_disable_trans=1

Additional Information        

Source Context                root:system_r:pegasus_t
Target Context                root:system_r:pegasus_t
Target Objects                None [ capability ]
Affected RPM Packages         tog-pegasus-2.9.0-1.el5 [application]
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.disable_trans
Host Name                     bwindi.cup.hp.com
Platform                      Linux bwindi.cup.hp.com 2.6.18-65.el5.bz248052 #1
                              SMP Wed Jan 9 16:05:55 EST 2008 x86_64 x86_64
Alert Count                   90
Line Numbers                  

Raw Audit Messages            

avc: denied { kill } for comm="cimserver" egid=0 euid=0
exe="/usr/sbin/cimserver" exit=-1 fsgid=0 fsuid=0 gid=0 items=0 pid=21675
scontext=root:system_r:pegasus_t:s0 sgid=0 subj=root:system_r:pegasus_t:s0
suid=0 tclass=capability tcontext=root:system_r:pegasus_t:s0 tty=(none) uid=0




Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Vitezslav Crhonek 2009-03-05 16:33:57 UTC 
Because PEGASUS_ENABLE_PRIVILEGE_SEPARATION is disabled in tog-pegasus shipped in RHEL, we won't change the default policy to give cimserver kill access.

Please consider building own SELinux module:
http://magazine.redhat.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/

Put this into new module to give cimserver desired access:
#============= pegasus_t ==============
allow pegasus_t self:capability kill;
Comment 2 Denise Eckstein 2009-03-05 16:50:57 UTC 
Thanks for the pointer.  Using our own SELinux module would definitely make support for SELinux easier.

Thanks,
Denise