Bug 811366
Summary: | stap-serverd runs as initrc_t | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Milos Malik <mmalik> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.3 | CC: | dwalsh, lvrabec, mjw, mmalik, scox |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-247.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-10-14 07:56:32 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 832330, 1116380 |
Description
Milos Malik
2012-04-10 20:00:11 UTC
The daemon is not confined by SELinux. Please help SELinux folks to create a suitable policy module. You know that we should minimize the number of programs running as initrc_t, don't you? We're happy to help, though are not immediately able to write a selinux module ourselves. Perhaps reassign this bug to someone willing/able to do so? stap-server does a lot, so may be complicated to tie down. For example, it does all of the following unprivileged operations: - it reads files in /etc/systemtap - it talks to the local avahi daemon - it modifies files in its home directory /var/lib/stap-server (but see bug #798036) - it creates potentially large temporary files under $TMPDIR-/var/tmp - it reads files under /usr/lib/debug and /lib/modules and elsewhere - it runs make / gcc / the whole stratum of kernel-build tools/scripts - it might even be configured to make outgoing network connections to other nearby stap-servers This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4. See also bug #798036, another selinux enforcement issue. This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. Patch sent to Miroslav. commit 444215373f4d5cd6c832816aaa588e00952cdc5c Author: Lukas Vrabec <lvrabec> Date: Wed Apr 23 15:03:59 2014 +0200 Added stapserver policy Milos, Is it necessary to add this capability? Or everything run fine and you just see this AVC? patch sent. patch sent. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1568.html |