Bug 193927 - "cimserver -s" fails if SELinux policies are inactive
"cimserver -s" fails if SELinux policies are inactive
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-06-02 19:39 EDT by Denise Eckstein
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: u4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-22 10:15:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Denise Eckstein 2006-06-02 19:39:56 EDT
Description of problem:
"cimserver -s" does not work as expected when SELinux policies are inactive.

Version-Release number of selected component (if applicable):
tog-pegasus-2.5.1-1.EL4

How reproducible:
Test cases 1B and 1C do not work as expected.

Steps to Reproduce:

Test Setup 1
setsebool pegasus_disable_trans true

Test Case 1A
service tog-pegasus start
service tog-pegasus stop
   Works correctly

Test Case 1B
cimserver
cimserver -s
   cimserver is stopped, but "CIM Server stopped." message is not displayed.

Test Case 1C
service tog-pegasus start
cimserver -s
   cimserver is not stopped, and "CIM Server stopped." message is not 
displayed.

Test Setup 2
setsebool pegasus_disable_trans false

Test Case 2A
service tog-pegasus start
service tog-pegasus stop
   Works correctly

Test Case 2B
cimserver
cimserver -s
   Works correctly

Test Case 2C
service tog-pegasus start
cimserver -s
   Works correctly


  
Actual results:


Expected results:


Additional info:
Comment 1 Denise Eckstein 2006-06-02 20:28:59 EDT
"cimserver -v" also fails if the OpenPegasus SELinux policies are inactive.
Comment 2 Jason Vas Dias 2006-06-05 15:20:14 EDT
RE: Test Case 1B :
  No process running out of 'unconfined_t' is allowed to write to the terminal 
  device, so you don't see the 'CIM Server stopped' message. This is expected.
  If you had done:
  # cimserver -s | cat
  you would see the 'CIM Server stopped' message in this scenario.

RE: Test Case 1C :
  Yes, this would appear to be a bug in the SELinux policy - we'd need to add
    'allow pegasus_t initrc_t:unix_stream_socket connectto;'
  for this, or make cimserver NOT transition into initrc_t when run from the
  initscript. 

  Actually, one would expect with 'pegasus_disable_trans=true' that either:
  A) running /usr/sbin/cimserver from the command line would not transition into
     pegasus_t
  or
  B) running cimserver from the initscript would still transition cimserver into
     pegasus_t, so that the command line 'cimserver -s' would still succeed.

It would appear that all is not working correctly with the 
'pegasus_disable_trans=true' setting - please could the SELinux maintainers
take a look at this - thanks!
Comment 3 Daniel Walsh 2006-06-06 10:42:42 EDT
Currently the disable_trans only works for initscripts.  If the code is
specially defined to transition from unconfined, we are not using the boolean.

I think this is a minor bug and should be put off until U5

I don't see why you want     
'allow pegasus_t initrc_t:unix_stream_socket connectto;'
Comment 6 RHEL Product and Program Management 2006-08-18 11:43:16 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 7 Denise Eckstein 2006-08-21 22:52:14 EDT
This problem appears to be resolved in RHEL4 U4.

Thanks,
Denise

Note You need to log in before you can comment on or make changes to this bug.