Red Hat Bugzilla – Bug 193927
"cimserver -s" fails if SELinux policies are inactive
Last modified: 2007-11-30 17:07:25 EST
Description of problem: "cimserver -s" does not work as expected when SELinux policies are inactive. Version-Release number of selected component (if applicable): tog-pegasus-2.5.1-1.EL4 How reproducible: Test cases 1B and 1C do not work as expected. Steps to Reproduce: Test Setup 1 setsebool pegasus_disable_trans true Test Case 1A service tog-pegasus start service tog-pegasus stop Works correctly Test Case 1B cimserver cimserver -s cimserver is stopped, but "CIM Server stopped." message is not displayed. Test Case 1C service tog-pegasus start cimserver -s cimserver is not stopped, and "CIM Server stopped." message is not displayed. Test Setup 2 setsebool pegasus_disable_trans false Test Case 2A service tog-pegasus start service tog-pegasus stop Works correctly Test Case 2B cimserver cimserver -s Works correctly Test Case 2C service tog-pegasus start cimserver -s Works correctly Actual results: Expected results: Additional info:
"cimserver -v" also fails if the OpenPegasus SELinux policies are inactive.
RE: Test Case 1B : No process running out of 'unconfined_t' is allowed to write to the terminal device, so you don't see the 'CIM Server stopped' message. This is expected. If you had done: # cimserver -s | cat you would see the 'CIM Server stopped' message in this scenario. RE: Test Case 1C : Yes, this would appear to be a bug in the SELinux policy - we'd need to add 'allow pegasus_t initrc_t:unix_stream_socket connectto;' for this, or make cimserver NOT transition into initrc_t when run from the initscript. Actually, one would expect with 'pegasus_disable_trans=true' that either: A) running /usr/sbin/cimserver from the command line would not transition into pegasus_t or B) running cimserver from the initscript would still transition cimserver into pegasus_t, so that the command line 'cimserver -s' would still succeed. It would appear that all is not working correctly with the 'pegasus_disable_trans=true' setting - please could the SELinux maintainers take a look at this - thanks!
Currently the disable_trans only works for initscripts. If the code is specially defined to transition from unconfined, we are not using the boolean. I think this is a minor bug and should be put off until U5 I don't see why you want 'allow pegasus_t initrc_t:unix_stream_socket connectto;'
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
This problem appears to be resolved in RHEL4 U4. Thanks, Denise