Bug 799324

Summary:	some pulp/rhui related daemons are running w/ an unconfined user
Product:	Red Hat Update Infrastructure for Cloud Providers	Reporter:	wes hayutin <whayutin>
Component:	Security	Assignee:	John Matthews <jmatthew>
Status:	CLOSED NOTABUG	QA Contact:	Kedar Bidarkar <kbidarka>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	2.0.2	CC:	dwalsh, jslagle, sghai, whayutin
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2012-03-02 15:57:48 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description wes hayutin 2012-03-02 13:48:23 UTC

Description of problem:

root@ip-10-90-202-254 ~]# ps axZ
LABEL                             PID TTY      STAT   TIME COMMAND
system_u:system_r:init_t:s0         1 ?        Ss     0:00 /sbin/init
system_u:system_r:kernel_t:s0       2 ?        S      0:00 [kthreadd]
system_u:system_r:kernel_t:s0       3 ?        S      0:00 [migration/0]
system_u:system_r:kernel_t:s0       4 ?        S      0:00 [ksoftirqd/0]
system_u:system_r:kernel_t:s0       5 ?        S      0:00 [migration/0]
system_u:system_r:kernel_t:s0       6 ?        S      0:00 [watchdog/0]
system_u:system_r:kernel_t:s0       7 ?        S      0:00 [migration/1]
system_u:system_r:kernel_t:s0       8 ?        S      0:00 [migration/1]
system_u:system_r:kernel_t:s0       9 ?        S      0:01 [ksoftirqd/1]
system_u:system_r:kernel_t:s0      10 ?        S      0:00 [watchdog/1]
system_u:system_r:kernel_t:s0      11 ?        S      0:00 [events/0]
system_u:system_r:kernel_t:s0      12 ?        S      0:00 [events/1]
system_u:system_r:kernel_t:s0      13 ?        S      0:00 [cpuset]
system_u:system_r:kernel_t:s0      14 ?        S      0:00 [khelper]
system_u:system_r:kernel_t:s0      15 ?        S      0:00 [netns]
system_u:system_r:kernel_t:s0      16 ?        S      0:00 [async/mgr]
system_u:system_r:kernel_t:s0      17 ?        S      0:00 [pm]
system_u:system_r:kernel_t:s0      18 ?        S      0:00 [xenwatch]
system_u:system_r:kernel_t:s0      19 ?        S      0:00 [xenbus]
system_u:system_r:kernel_t:s0      20 ?        S      0:00 [sync_supers]
system_u:system_r:kernel_t:s0      21 ?        S      0:00 [bdi-default]
system_u:system_r:kernel_t:s0      22 ?        S      0:00 [kintegrityd/0]
system_u:system_r:kernel_t:s0      23 ?        S      0:00 [kintegrityd/1]
system_u:system_r:kernel_t:s0      24 ?        S      0:03 [kblockd/0]
system_u:system_r:kernel_t:s0      25 ?        S      0:01 [kblockd/1]
system_u:system_r:kernel_t:s0      26 ?        S      0:00 [ata/0]
system_u:system_r:kernel_t:s0      27 ?        S      0:00 [ata/1]
system_u:system_r:kernel_t:s0      28 ?        S      0:00 [ata_aux]
system_u:system_r:kernel_t:s0      29 ?        S      0:00 [ksuspend_usbd]
system_u:system_r:kernel_t:s0      30 ?        S      0:00 [khubd]
system_u:system_r:kernel_t:s0      31 ?        S      0:00 [kseriod]
system_u:system_r:kernel_t:s0      32 ?        S      0:00 [md/0]
system_u:system_r:kernel_t:s0      33 ?        S      0:00 [md/1]
system_u:system_r:kernel_t:s0      34 ?        S      0:00 [md_misc/0]
system_u:system_r:kernel_t:s0      35 ?        S      0:00 [md_misc/1]
system_u:system_r:kernel_t:s0      36 ?        S      0:00 [khungtaskd]
system_u:system_r:kernel_t:s0      37 ?        S      0:43 [kswapd0]
system_u:system_r:kernel_t:s0      38 ?        SN     0:00 [ksmd]
system_u:system_r:kernel_t:s0      39 ?        S      0:00 [aio/0]
system_u:system_r:kernel_t:s0      40 ?        S      0:00 [aio/1]
system_u:system_r:kernel_t:s0      41 ?        S      0:00 [crypto/0]
system_u:system_r:kernel_t:s0      42 ?        S      0:00 [crypto/1]
system_u:system_r:kernel_t:s0      47 ?        S      0:00 [kthrotld/0]
system_u:system_r:kernel_t:s0      48 ?        S      0:00 [kthrotld/1]
system_u:system_r:kernel_t:s0      50 ?        S      0:00 [khvcd]
system_u:system_r:kernel_t:s0      51 ?        S      0:00 [kpsmoused]
system_u:system_r:kernel_t:s0      52 ?        S      0:00 [usbhid_resumer]
system_u:system_r:kernel_t:s0      85 ?        S      0:00 [kstriped]
system_u:system_r:kernel_t:s0     213 ?        S      0:01 [jbd2/xvde1-8]
system_u:system_r:kernel_t:s0     214 ?        S      0:00 [ext4-dio-unwrit]
system_u:system_r:kernel_t:s0     215 ?        S      0:00 [ext4-dio-unwrit]
system_u:system_r:kernel_t:s0     250 ?        S      0:00 [kauditd]
system_u:system_r:udev_t:s0-s0:c0.c1023 305 ?  S<s    0:00 /sbin/udevd -d
system_u:system_r:dhcpc_t:s0      869 ?        Ss     0:00 /sbin/dhclient -1
system_u:system_r:syslogd_t:s0    922 ?        Sl     0:00 /sbin/rsyslogd -i
system_u:system_r:irqbalance_t:s0 940 ?        Ss     0:14 irqbalance
system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 953 ? Ssl   0:00 dbus-daemon
system_u:system_r:cupsd_t:s0-s0:c0.c1023 965 ? Ss     0:00 cupsd -C /etc/cups
system_u:system_r:automount_t:s0 1005 ?        Ssl    0:00 automount --pid-fi
system_u:system_r:sshd_t:s0-s0:c0.c1023 1049 ? Ss     0:00 /usr/sbin/sshd
system_u:system_r:inetd_t:s0-s0:c0.c1023 1057 ? Ss    0:00 xinetd -stayalive
system_u:system_r:sendmail_t:s0  1073 ?        Ss     0:02 sendmail: acceptin
system_u:system_r:sendmail_t:s0  1082 ?        Ss     0:00 sendmail: Queue ru
system_u:system_r:abrt_t:s0-s0:c0.c1023 1105 ? Ss     0:00 /usr/sbin/abrtd
system_u:system_r:abrt_dump_oops_t:s0 1113 ?   Ss     0:00 abrt-dump-oops -d
system_u:system_r:crond_t:s0-s0:c0.c1023 1121 ? Ss    0:01 crond
system_u:system_r:crond_t:s0-s0:c0.c1023 1132 ? Ss    0:00 /usr/sbin/atd
system_u:system_r:getty_t:s0     1170 hvc0     Ss+    0:00 /sbin/agetty /dev/
system_u:system_r:getty_t:s0     1171 tty1     Ss+    0:00 /sbin/mingetty /de
system_u:system_r:getty_t:s0     1173 tty2     Ss+    0:00 /sbin/mingetty /de
system_u:system_r:getty_t:s0     1175 tty3     Ss+    0:00 /sbin/mingetty /de
system_u:system_r:getty_t:s0     1177 tty4     Ss+    0:00 /sbin/mingetty /de
system_u:system_r:getty_t:s0     1179 tty5     Ss+    0:00 /sbin/mingetty /de
system_u:system_r:getty_t:s0     1181 tty6     Ss+    0:00 /sbin/mingetty /de
system_u:system_r:udev_t:s0-s0:c0.c1023 1189 ? S<     0:00 /sbin/udevd -d
system_u:system_r:udev_t:s0-s0:c0.c1023 1190 ? S<     0:00 /sbin/udevd -d
system_u:system_r:auditd_t:s0    1208 ?        S<sl   0:00 auditd
system_u:system_r:kernel_t:s0    1398 ?        S      0:47 [kjournald]
unconfined_u:system_r:httpd_t:s0 1500 ?        S      4:09 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 1505 ?        S      4:06 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 1517 ?        S      3:44 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 1533 ?        S      3:30 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 1560 ?        S      3:01 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 1569 ?        S      2:55 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 1579 ?        S      2:37 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 1614 ?        S      2:19 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 1616 ?        S      2:19 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 1642 ?        S      1:51 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 1643 ?        S      1:52 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 1648 ?        S      1:46 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 1661 ?        S      1:34 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 1662 ?        S      1:32 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 1666 ?        S      1:29 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 1677 ?        S      1:17 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 1682 ?        S      1:11 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 1683 ?        S      1:13 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 1691 ?        S      1:06 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 1709 ?        S      0:51 /usr/sbin/httpd
unconfined_u:system_r:mongod_t:s0 2915 ?       Sl   174:00 /usr/bin/mongod --
unconfined_u:system_r:qpidd_t:s0 2931 ?        Ssl    0:56 /usr/sbin/qpidd --
unconfined_u:system_r:httpd_t:s0 2968 ?        Ss     0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 2970 ?        Sl   210:14 (wsgi:pulp)    
system_u:system_r:sshd_t:s0-s0:c0.c1023 6502 ? Ss     0:00 sshd: root@pts/0 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 6507 pts/0 Ss   0:00 -b
system_u:system_r:kernel_t:s0    7785 ?        S      0:00 [flush-202:65]
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 7818 pts/0 T   0:00 /us
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 7821 pts/0 S+   0:00 /u
system_u:system_r:sshd_t:s0-s0:c0.c1023 7824 ? Ss     0:00 sshd: root@pts/1 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 7828 pts/1 Ss   0:00 -b
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 7848 pts/1 R+   0:00 ps
[root@ip-10-90-202-254 ~]#

Comment 1 John Matthews 2012-03-02 14:00:32 UTC

Dan would you comment on the fact we are seeing "httpd, qpidd, and mongod" showing up as "unconfined_u".  Is this acceptable, or something we should address?

Comment 2 Daniel Walsh 2012-03-02 15:57:48 UTC

We for the most part ignore the user component of the SELinux label.

As we move forward and systemd starts more services this will not happen as often.

http://danwalsh.livejournal.com/51942.html

This will happen less often.  But basically if you start a service with the serivce DAEMON start, the user component of the SELinux label will be your user type, if the service is started at boot it will be system_u.  But up until now this has not been a problem.

AS long as the third field is not unconfined_t, or initrc_t, then we do not have a problem.

Comment 3 James Slagle 2012-03-12 19:39:41 UTC

Released in RHUI 2.0.2