Bug 193936 - cimserver behaves unexpectedly when SELinux policies are inactive
Summary: cimserver behaves unexpectedly when SELinux policies are inactive
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: tog-pegasus
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Jason Vas Dias
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2006-06-03 01:24 UTC by Denise Eckstein
Modified: 2007-11-30 22:07 UTC (History)
0 users

Clone Of:
Last Closed: 2006-06-05 18:21:27 UTC

Attachments (Terms of Use)

Description Denise Eckstein 2006-06-03 01:24:38 UTC
Description of problem:
The cimserver command behaves unexpectedly when SELinux policies are inactive.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. chcon -u root -r object_r -t 
usr_t /usr/lib/Pegasus/providers/libOSProvider.so.1
2. setsebool pegasus_disable_trans true
3. cimserver
4. osinfo 
   FAILURE: OpenPegasus SELinux Policy testing is still enabled
5. cimserver -s
6. chcon -u system_u -r object_r -t 
shlib_t /usr/lib/Pegasus/providers/libOSProvider.so.1 
Actual results:

osinfo error: CIM_ERR_FAILED: A general error occurred that is not covered by 
a more specific error code: "ProviderLoadFailure 
ot load library, error: /usr/lib64/Pegasus/providers/libOSProvider.so: failed 
to map segment from shared object: Permission denied"

Expected results:

Additional info:

The same sequence behaves as expected if the /etc/init.d/tog-pegasus command 
is used to start and stop the cimserver.

# chcon -u root -r object_r -t 
usr_t /usr/lib/Pegasus/providers/libOSProvider.so.1
# setsebool pegasus_disable_trans true
# /etc/init.d/tog-pegasus start
# osinfo
# /etc/init.d/tog-pegasus stop
# chcon -u system_u -r object_r -t 
shlib_t /usr/lib/Pegasus/providers/libOSProvider.so.1

Comment 1 Jason Vas Dias 2006-06-05 18:21:27 UTC
The default SELinux file context for /usr/lib/Pegasus/providers/* is 
system_u:object_r:shlib_t .

This is the only context that cimserver is allowed to dynamically load by
the SELinux policy of selinux-policy-targeted-1.17.30-2.134 .

So why would you want to manually change the context of the provider libraries
to something that cimserver cannot load under SELinux ? 

This does not seem to be something that users would realistically do, nor can
I think of any reason for doing it.

FIX: do not change the SELinux file context of the /usr/lib/Pegasus/providers/*
     shared libraries - the default file context is OK and works correctly.

Note You need to log in before you can comment on or make changes to this bug.