Bug 193936 - cimserver behaves unexpectedly when SELinux policies are inactive
cimserver behaves unexpectedly when SELinux policies are inactive
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: tog-pegasus (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jason Vas Dias
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-06-02 21:24 EDT by Denise Eckstein
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-06-05 14:21:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Denise Eckstein 2006-06-02 21:24:38 EDT
Description of problem:
The cimserver command behaves unexpectedly when SELinux policies are inactive.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. chcon -u root -r object_r -t 
usr_t /usr/lib/Pegasus/providers/libOSProvider.so.1
2. setsebool pegasus_disable_trans true
3. cimserver
4. osinfo 
   FAILURE: OpenPegasus SELinux Policy testing is still enabled
5. cimserver -s
6. chcon -u system_u -r object_r -t 
shlib_t /usr/lib/Pegasus/providers/libOSProvider.so.1 
  
Actual results:

osinfo error: CIM_ERR_FAILED: A general error occurred that is not covered by 
a more specific error code: "ProviderLoadFailure 
(/usr/lib64/Pegasus/providers/libOSProvider.so:PG_OperatingSystemProvider):Cann
ot load library, error: /usr/lib64/Pegasus/providers/libOSProvider.so: failed 
to map segment from shared object: Permission denied"

Expected results:


Additional info:

The same sequence behaves as expected if the /etc/init.d/tog-pegasus command 
is used to start and stop the cimserver.

# chcon -u root -r object_r -t 
usr_t /usr/lib/Pegasus/providers/libOSProvider.so.1
# setsebool pegasus_disable_trans true
# /etc/init.d/tog-pegasus start
# osinfo
# /etc/init.d/tog-pegasus stop
# chcon -u system_u -r object_r -t 
shlib_t /usr/lib/Pegasus/providers/libOSProvider.so.1
Comment 1 Jason Vas Dias 2006-06-05 14:21:27 EDT
The default SELinux file context for /usr/lib/Pegasus/providers/* is 
system_u:object_r:shlib_t .

This is the only context that cimserver is allowed to dynamically load by
the SELinux policy of selinux-policy-targeted-1.17.30-2.134 .

So why would you want to manually change the context of the provider libraries
to something that cimserver cannot load under SELinux ? 

This does not seem to be something that users would realistically do, nor can
I think of any reason for doing it.

FIX: do not change the SELinux file context of the /usr/lib/Pegasus/providers/*
     shared libraries - the default file context is OK and works correctly.

Note You need to log in before you can comment on or make changes to this bug.