Bug 193927 - "cimserver -s" fails if SELinux policies are inactive
Summary: "cimserver -s" fails if SELinux policies are inactive
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-06-02 23:39 UTC by Denise Eckstein
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version: u4
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-08-22 14:15:08 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Denise Eckstein 2006-06-02 23:39:56 UTC 
Description of problem:
"cimserver -s" does not work as expected when SELinux policies are inactive.

Version-Release number of selected component (if applicable):
tog-pegasus-2.5.1-1.EL4

How reproducible:
Test cases 1B and 1C do not work as expected.

Steps to Reproduce:

Test Setup 1
setsebool pegasus_disable_trans true

Test Case 1A
service tog-pegasus start
service tog-pegasus stop
   Works correctly

Test Case 1B
cimserver
cimserver -s
   cimserver is stopped, but "CIM Server stopped." message is not displayed.

Test Case 1C
service tog-pegasus start
cimserver -s
   cimserver is not stopped, and "CIM Server stopped." message is not 
displayed.

Test Setup 2
setsebool pegasus_disable_trans false

Test Case 2A
service tog-pegasus start
service tog-pegasus stop
   Works correctly

Test Case 2B
cimserver
cimserver -s
   Works correctly

Test Case 2C
service tog-pegasus start
cimserver -s
   Works correctly


  
Actual results:


Expected results:


Additional info:
Comment 1 Denise Eckstein 2006-06-03 00:28:59 UTC 
"cimserver -v" also fails if the OpenPegasus SELinux policies are inactive.
Comment 2 Jason Vas Dias 2006-06-05 19:20:14 UTC 
RE: Test Case 1B :
  No process running out of 'unconfined_t' is allowed to write to the terminal 
  device, so you don't see the 'CIM Server stopped' message. This is expected.
  If you had done:
  # cimserver -s | cat
  you would see the 'CIM Server stopped' message in this scenario.

RE: Test Case 1C :
  Yes, this would appear to be a bug in the SELinux policy - we'd need to add
    'allow pegasus_t initrc_t:unix_stream_socket connectto;'
  for this, or make cimserver NOT transition into initrc_t when run from the
  initscript. 

  Actually, one would expect with 'pegasus_disable_trans=true' that either:
  A) running /usr/sbin/cimserver from the command line would not transition into
     pegasus_t
  or
  B) running cimserver from the initscript would still transition cimserver into
     pegasus_t, so that the command line 'cimserver -s' would still succeed.

It would appear that all is not working correctly with the 
'pegasus_disable_trans=true' setting - please could the SELinux maintainers
take a look at this - thanks!
Comment 3 Daniel Walsh 2006-06-06 14:42:42 UTC 
Currently the disable_trans only works for initscripts.  If the code is
specially defined to transition from unconfined, we are not using the boolean.

I think this is a minor bug and should be put off until U5

I don't see why you want     
'allow pegasus_t initrc_t:unix_stream_socket connectto;'
Comment 6 RHEL Program Management 2006-08-18 15:43:16 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 7 Denise Eckstein 2006-08-22 02:52:14 UTC 
This problem appears to be resolved in RHEL4 U4.

Thanks,
Denise
Note You need to log in before you can comment on or make changes to this bug.