Bug 848744

Summary: gatherd and reposd run as initrc_t
Product: Red Hat Enterprise Linux 5 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 5.9CC: dwalsh
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-20 08:39:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 848708    

Description Milos Malik 2012-08-16 10:50:09 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-minimum-2.4.6-331.el5
selinux-policy-devel-2.4.6-331.el5
selinux-policy-targeted-2.4.6-331.el5
selinux-policy-2.4.6-331.el5
selinux-policy-strict-2.4.6-331.el5
selinux-policy-mls-2.4.6-331.el5
sblim-gather-2.2.3-49.el5

How reproducible:
always

Steps to Reproduce:
# run_init service gatherer status
Authenticating root.
Password: 
gatherd is stopped
reposd is stopped
# run_init service gatherer start
Authenticating root.
Password: 
Starting gatherd:                                          [  OK  ]
Starting reposd:                                           [  OK  ]
# ps -efZ | grep -e reposd -e gatherd
user_u:system_r:initrc_t        root     12534     1  0 12:40 ?        00:00:00 gatherd
user_u:system_r:initrc_t        root     12539     1  0 12:40 ?        00:00:00 reposd
root:system_r:unconfined_t:SystemLow-SystemHigh root 12607 2823  0 12:40 pts/0 00:00:00 grep -e reposd -e gatherd
# 

Actual results:
* both gatherd and reposd run as initrc_t

Expected results:
* both gatherd and reposd run in its own SELinux domain
Comment 1 Miroslav Grepl 2012-08-20 08:39:55 UTC 
I believe we should stay with initrc_t for all these services for RHEL5. 

Basically I can backport policies but we would need to make this policy as unconfined.

Also we don't see any issues with these services running as initrc.