Red Hat Bugzilla – Bug 193936
cimserver behaves unexpectedly when SELinux policies are inactive
Last modified: 2007-11-30 17:07:25 EST
Description of problem:
The cimserver command behaves unexpectedly when SELinux policies are inactive.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. chcon -u root -r object_r -t
2. setsebool pegasus_disable_trans true
FAILURE: OpenPegasus SELinux Policy testing is still enabled
5. cimserver -s
6. chcon -u system_u -r object_r -t
osinfo error: CIM_ERR_FAILED: A general error occurred that is not covered by
a more specific error code: "ProviderLoadFailure
ot load library, error: /usr/lib64/Pegasus/providers/libOSProvider.so: failed
to map segment from shared object: Permission denied"
The same sequence behaves as expected if the /etc/init.d/tog-pegasus command
is used to start and stop the cimserver.
# chcon -u root -r object_r -t
# setsebool pegasus_disable_trans true
# /etc/init.d/tog-pegasus start
# /etc/init.d/tog-pegasus stop
# chcon -u system_u -r object_r -t
The default SELinux file context for /usr/lib/Pegasus/providers/* is
This is the only context that cimserver is allowed to dynamically load by
the SELinux policy of selinux-policy-targeted-1.17.30-2.134 .
So why would you want to manually change the context of the provider libraries
to something that cimserver cannot load under SELinux ?
This does not seem to be something that users would realistically do, nor can
I think of any reason for doing it.
FIX: do not change the SELinux file context of the /usr/lib/Pegasus/providers/*
shared libraries - the default file context is OK and works correctly.