Bug 193924 - Run-As-Requestor test fails with SELinux policies active
Run-As-Requestor test fails with SELinux policies active
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-06-02 19:12 EDT by Denise Eckstein
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2007-0171
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-01 18:47:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Denise Eckstein 2006-06-02 19:12:44 EDT
Description of problem:
The "Run-As-Requestor" feature fails if the OpenPegasus SELinux policies are 
active.

Version-Release number of selected component (if applicable):
tog-pegasus-2.5.1-1.EL4

How reproducible:

Steps to Reproduce:
Test Setup 
1. cimprovider -r -m OperatingSystemModule 
2. Modify the PG_Provider Module instance definition 
in /usr/share/Pegasus/mof/Pegasus/PG_OperatingSystem20R.mof as follows:
   2a. Change the InterfaceVersion from "2.1.0" to "2.5.0". 
   2b. Add the new property 
       UserContext = 2; 
3. cimmof -n 
root/PG_InterOp /usr/share/Pegasus/mof/Pegasus/PG_OperatingSystem20R.mof 

Run Tests

1. osinfo 
FAILURE: Test is failing when run by a non-root user.
  
Actual results:

$ osinfo osinfo error: CIM_ERR_FAILED: A general error occurred that is not 
covered by a more specific error code: "Failed to communicate with 
cimprovagt "OperatingSystemModule"."

cimserver.trc Output

06/01/2006-20:55:17: OsAbstraction [3810:1115699552:SystemUnix.cpp:1139]: 
setgid failed: Operation not permitted
06/01/2006-20:55:17: DiscardedData [3810:1115699552]: System::changeUserContext
() failed. userName = guest.
06/01/2006-20:55:17: OsAbstraction [3765:1115699552]: Failed to read buffer 
from pipe: connection closed

Expected results:


Additional info:
Comment 1 Jason Vas Dias 2006-06-05 15:40:37 EDT
Yes, this would appear to be due to missing SELinux policy:
  'allow pegasus_t self:capability setgid;'

With selinux-policy-targeted-1.17.30-2.134, we allowed pegasus_t the
'setuid' capability, but not the 'setgid' capability :-(

This needs to be fixed in the next release of the RHEL-4 selinux-policy-targeted.
Comment 2 Denise Eckstein 2006-06-05 16:42:05 EDT
Sounds good.  Thanks!
Comment 3 Daniel Walsh 2006-06-15 22:35:14 EDT
Fixed in 1.17.30-2.138
Comment 6 RHEL Product and Program Management 2006-08-18 11:43:52 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 7 Denise Eckstein 2006-08-21 22:39:21 EDT
OpenPegasus SELinux testing can be tricky, but I believe this one is resolved 
in RHEL4 U4 with the release of selinux-policy-targeted-1.17.30-2.140.  Can 
you verify that the fix was not included?

Thanks,
Denise
Comment 8 Daniel Walsh 2006-08-22 10:14:26 EDT
Yes this release contained fixes for pegasus.
Comment 13 Red Hat Bugzilla 2007-05-01 18:47:30 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0171.html

Note You need to log in before you can comment on or make changes to this bug.