Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1694221

Summary: 20_unconfined uses insufficient check
Product: [Retired] Restraint Reporter: Petr Lautrbach <plautrba>
Component: generalAssignee: Martin Styk <mastyk>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: 0.1.39CC: asavkov, bpeck, breilly, cbeer, mastyk, mmalik, mprchlik, vmojzis
Target Milestone: 0.1.40Keywords: EasyFix, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-02 07:57:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Lautrbach 2019-03-29 19:55:27 UTC 
Description of problem:

20_unconfined plugin should make sure that a test is run with unconfined_t. It checks whether the process is already running as unconfined_r:unconfined_t but it doesn't check whether the user part is unconfined_u and it's not.

                        <task name="/distribution/command" role="None">
                                <params>
                                        <param name="CMDS_TO_RUN" value="id -Z"/>
                                </params>
                                <rpm name="test(/distribution/command)" path="/mnt/tests/distribution/command"/>
                        </task>

shows that the process runs as system_u:unconfined_r:unconfined_t:s0

It's not a problem for lot of test cases using targeted policy, but it breaks advanced SELinux tests. The fix is easy:

--- /usr/share/restraint/plugins/task_run.d/20_unconfined.orig  2019-03-29 12:35:11.155548015 -0400
+++ /usr/share/restraint/plugins/task_run.d/20_unconfined       2019-03-29 12:35:15.468548015 -0400
@@ -47,7 +47,7 @@
 
 function runcon_unconfined() {
   local runcon_cmd=$(_runcon_unconfined_cmd)
-  if runcon 2>/dev/null | grep -q ":unconfined_r:unconfined_t:"; then
+  if runcon 2>/dev/null | grep -q "unconfined_u:unconfined_r:unconfined_t:"; then
     # Already in the desired context
     exec "$@"
   elif $runcon_cmd -- true; then
Comment 1 Martin Styk 2019-09-10 05:57:29 UTC 
Restraint 0.1.40 has been released.