1109537 – gear command line cannot be run with a confined user

Bug 1109537 - gear command line cannot be run with a confined user

Summary: gear command line cannot be run with a confined user

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	geard
Sub Component:
Version:	20
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lokesh Mandvekar
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-06-15 00:58 UTC by Michael S.
Modified:	2014-09-28 13:06 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-09-28 13:06:26 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Michael S. 2014-06-15 00:58:21 UTC

Description of problem:
$ gear           
zsh: permission denied: gear

$ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023

WIth setenforce 0, it work fine.

# rpm -q selinux-policy
selinux-policy-3.12.1-166.fc20.noarch

I am not sure if gear can be run as a simple user, but i would at least expect to be able to see the command line options, since there is no manpage.

Comment 2 Lokesh Mandvekar 2014-07-13 14:14:46 UTC

Hi Michael,

Is this with the latest build? Works fine for me in Enforcing.

$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

$ rpm -q selinux-policy
selinux-policy-3.13.1-63.fc21.noarch

$ rpm -q geard
geard-0-0.13.git6850c8d.fc21.x86_64

Comment 3 Michael S. 2014-07-13 17:20:11 UTC

You are in enforcing, but without a confined user.

Comment 4 Lokesh Mandvekar 2014-07-13 17:28:12 UTC

argh, I see...nvm me.

Perhaps dwalsh has an answer.

Comment 5 Daniel Walsh 2014-07-14 12:21:05 UTC

Is there a reason for a normal (Non admin) user to run this?

Comment 6 Michael S. 2014-07-19 00:58:00 UTC

Well, in my case, it was to read the options and help.
I think it can also be used to manage a remote geard agent.

Comment 7 Daniel Walsh 2014-08-04 19:15:12 UTC

Currently we don't allow staff_t to execute all applications,  I guess we could allow that.

Comment 8 Lokesh Mandvekar 2014-09-17 10:30:54 UTC

Michael,

geard has been retired on fedora. Perhaps this can be closed?

Comment 9 Michael S. 2014-09-18 20:15:11 UTC

I guess someone could autoclose all tickets for it, yeah.

Comment 10 Lokesh Mandvekar 2014-09-28 13:06:26 UTC

Package retired, bug closed.

Note You need to log in before you can comment on or make changes to this bug.