Red Hat Bugzilla – Bug 119408
"service <server> status" for unprivileged user with selinux enforcing
Last modified: 2007-11-30 17:10:39 EST
Description of problem:
With selinux in enforcing mode, system processes are
hidden from normal users. In particular "pidof <command>"
doesn't work for system processes.
A consequence of this is that a normal user
"/sbin/service <service> status" says the service
is stopped even if it is actually running.
Steps to Reproduce:
0. Install test2 and login.
1. % service sshd status
2. % service canna status
3. su -
4. # service sshd status
5. # service canna status
1. sshd dead but pid file exists
2. cannaserver is stopped
4. sshd (pid 2536 2532 2068) is running...
5. cannaserver (pid 4541) is running...
Consist results. If service can't tell the pids
of system processes to normal users, it should
say so (eg "Permission denied" or similar), rather
than giving inaccurate responses.
The xinput script currently depends on service status output.
Canna comes with cannaping whose exit status corresponds to
whether cannaserver is running or not. But implementing
"<service>ping" for every daemon in the distro seems like
a lot of work...
Any thoughts on this? :)
Yeah, ouch. I have no idea how to handle this other than to rewrite
This really requires a rewrite of all service scripts to make it work
correctly, so I am deferring.
A rewrite of the "/etc/init.d/functions" file, which all (i think) of
the functions call to load up the helper routines, to check and abort
out with a "permission denied" or something along those lines, is all
that's necessary i think.