Hide Forgot
Description of problem: * ipmidetectd uses too powerful SELinux domain Version-Release number of selected component (if applicable): freeipmi-ipmidetectd-1.2.9-2.el7.x86_64 selinux-policy-3.12.1-105.el7.noarch selinux-policy-devel-3.12.1-105.el7.noarch selinux-policy-doc-3.12.1-105.el7.noarch selinux-policy-minimum-3.12.1-105.el7.noarch selinux-policy-mls-3.12.1-105.el7.noarch selinux-policy-targeted-3.12.1-105.el7.noarch How reproducible: always Steps to Reproduce: # echo "host 127.0.0.1" >> /etc/freeipmi/ipmidetectd.conf # service ipmidetectd status Redirecting to /bin/systemctl status ipmidetectd.service ipmidetectd.service - IPMI Node Detection Monitoring Daemon Loaded: loaded (/usr/lib/systemd/system/ipmidetectd.service; disabled) Active: failed (Result: exit-code) since Tue 2013-12-03 10:07:51 CET; 3min 4s ago Process: 14560 ExecStart=/usr/sbin/ipmidetectd (code=exited, status=1/FAILURE) Main PID: 14208 (code=exited, status=1/FAILURE) Dec 03 10:07:51 rhel70 ipmidetectd[14560]: ipmidetectd: No nodes configured Dec 03 10:07:51 rhel70 systemd[1]: ipmidetectd.service: control process exi...=1 Dec 03 10:07:51 rhel70 systemd[1]: Failed to start IPMI Node Detection Moni...n. Dec 03 10:07:51 rhel70 systemd[1]: Unit ipmidetectd.service entered failed ...e. Hint: Some lines were ellipsized, use -l to show in full. # service ipmidetectd start Redirecting to /bin/systemctl start ipmidetectd.service # service ipmidetectd status Redirecting to /bin/systemctl status ipmidetectd.service ipmidetectd.service - IPMI Node Detection Monitoring Daemon Loaded: loaded (/usr/lib/systemd/system/ipmidetectd.service; disabled) Active: active (running) since Tue 2013-12-03 10:10:58 CET; 919ms ago Process: 14724 ExecStart=/usr/sbin/ipmidetectd (code=exited, status=0/SUCCESS) Main PID: 14726 (ipmidetectd) CGroup: /system.slice/ipmidetectd.service └─14726 /usr/sbin/ipmidetectd Dec 03 10:10:58 rhel70 systemd[1]: Starting IPMI Node Detection Monitoring ..... Dec 03 10:10:58 rhel70 systemd[1]: Started IPMI Node Detection Monitoring D...n. Hint: Some lines were ellipsized, use -l to show in full. # ps -efZ | grep ipmidetectd system_u:system_r:init_t:s0 root 14726 1 0 10:10 ? 00:00:00 /usr/sbin/ipmidetectd unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 14749 12632 0 10:11 pts/1 00:00:00 grep --color=auto ipmidetectd # Actual results: * ipmidetectd runs as init_t Expected results: * ipmidetectd runs in its own SELinux domain
commit dee0ab128c1730828e041645811da995a2929f0b Author: Miroslav Grepl <mgrepl> Date: Thu Dec 5 17:11:53 2013 +0100 Add policy for freeipmi services
subj=system_u:system_r:freeipmi_ipmidetectd_t:s0 key=(null) type=AVC msg=audit(1386839724.301:912): avc: denied { name_bind } for pid=8622 comm="ipmidetectd" src=9225 scontext=system_u:system_r:freeipmi_ipmidetectd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket Milos, is this a default port?
Excerpt from ipmidetectd.conf man page: ipmidetectd_server_port port Specify the alternate default port the ipmidetectd server should listen for requests off of. Default is 9225.
Thanks.
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.