Bug 628640

Summary: unconfined daemons: rhnsearchd, cobblerd, taskomaticd
Product: [Community] Spacewalk Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: ServerAssignee: Jan Pazdziora (Red Hat) <jpazdziora>
Status: CLOSED CURRENTRELEASE QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.1CC: cperry, gkhachik, tao, vgaikwad
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 556787 Environment:
Last Closed: 2010-11-20 14:41:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 556787, 623772, 634222    

Description Jan Pazdziora (Red Hat) 2010-08-30 15:38:55 UTC 
+++ This bug was initially created as a clone of Bug #556787 +++

Escalated to Bugzilla from IssueTracker

--- Additional comment from tao on 2010-01-19 07:40:34 EST ---

Event posted on 12-17-2009 04:15pm EST by csd-unix

Description of problem:

Daemons that SELinux policy does not know about will inherit the context of the parent process. Because daemons are launched during startup and descend from the init process, they inherit the initrc_t context. This
is a problem because it may cause AVC denials, or it could allow privileges that the daemon does not require.

On a clean install of RHNS 5.3 the following daemons are unconfined: rhnsearchd, cobblerd, taskomaticd.

https://fedorahosted.org/spacewalk/wiki/Features/SELinux documents the fact that rhnsearchd and taskomaticd are unconfined. I have not seen any reference for cobblerd.

How reproducible: always

Steps to Reproduce: build an RHNS 5.3 and run
/bin/ps -eZ | /bin/egrep "initrc"


Actual results:
root:system_r:initrc_t:s0       18520 ?        00:00:00 rhnsearchd
root:system_r:initrc_t:s0       18570 ?        00:00:00 cobblerd
root:system_r:initrc_t:s0       18595 ?        00:00:00 taskomaticd


Expected results: no output

[...]

--- Additional comment from cperry on 2010-07-12 16:59:29 EDT ---

Jan - 
please [...] provide as part of rules SELinux for RHEL 5 & 6 for taskomatic and search. For cobbler use the one cobbler defines and use it by default as well. 

Cliff.
Comment 1 Jan Pazdziora (Red Hat) 2010-08-31 07:53:14 UTC 
The taskomaticd and rhnsearchd addressed in Spacewalk master, 809e0bbc35ebab9bb78976e50af6f79f72fd19e3.
Comment 2 Jan Pazdziora (Red Hat) 2010-11-19 16:02:51 UTC 
Mass-moving to space13.
Comment 3 Jan Pazdziora (Red Hat) 2010-11-20 14:39:33 UTC 
On Fedora 13 and 14, cobbler is confined as well:

# ps axuwZ | grep cobbler
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 4509 0.0  0.1 4468 752 pts/1 S+ 15:39   0:00 grep --color=auto cobbler
unconfined_u:system_r:cobblerd_t:s0 root  7534  0.0  0.5  51608  3952 ?        S    Nov19   0:35 /usr/bin/python /usr/bin/cobblerd --daemonize
Comment 4 Jan Pazdziora (Red Hat) 2010-11-20 14:41:01 UTC 
With Spacewalk 1.2 released, marking as resolved, as both taskomaticd and rhnsearchd, and cobblerd on Fedoras via standard selinux-policy-targeted are covered.