Bug 193936 - cimserver behaves unexpectedly when SELinux policies are inactive
Summary: cimserver behaves unexpectedly when SELinux policies are inactive
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: tog-pegasus (Show other bugs)
(Show other bugs)
Version: 4.0
Hardware: All Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Jason Vas Dias
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-06-03 01:24 UTC by Denise Eckstein
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-06-05 18:21:27 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Denise Eckstein 2006-06-03 01:24:38 UTC
Description of problem:
The cimserver command behaves unexpectedly when SELinux policies are inactive.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. chcon -u root -r object_r -t 
usr_t /usr/lib/Pegasus/providers/libOSProvider.so.1
2. setsebool pegasus_disable_trans true
3. cimserver
4. osinfo 
   FAILURE: OpenPegasus SELinux Policy testing is still enabled
5. cimserver -s
6. chcon -u system_u -r object_r -t 
shlib_t /usr/lib/Pegasus/providers/libOSProvider.so.1 
  
Actual results:

osinfo error: CIM_ERR_FAILED: A general error occurred that is not covered by 
a more specific error code: "ProviderLoadFailure 
(/usr/lib64/Pegasus/providers/libOSProvider.so:PG_OperatingSystemProvider):Cann
ot load library, error: /usr/lib64/Pegasus/providers/libOSProvider.so: failed 
to map segment from shared object: Permission denied"

Expected results:


Additional info:

The same sequence behaves as expected if the /etc/init.d/tog-pegasus command 
is used to start and stop the cimserver.

# chcon -u root -r object_r -t 
usr_t /usr/lib/Pegasus/providers/libOSProvider.so.1
# setsebool pegasus_disable_trans true
# /etc/init.d/tog-pegasus start
# osinfo
# /etc/init.d/tog-pegasus stop
# chcon -u system_u -r object_r -t 
shlib_t /usr/lib/Pegasus/providers/libOSProvider.so.1

Comment 1 Jason Vas Dias 2006-06-05 18:21:27 UTC
The default SELinux file context for /usr/lib/Pegasus/providers/* is 
system_u:object_r:shlib_t .

This is the only context that cimserver is allowed to dynamically load by
the SELinux policy of selinux-policy-targeted-1.17.30-2.134 .

So why would you want to manually change the context of the provider libraries
to something that cimserver cannot load under SELinux ? 

This does not seem to be something that users would realistically do, nor can
I think of any reason for doing it.

FIX: do not change the SELinux file context of the /usr/lib/Pegasus/providers/*
     shared libraries - the default file context is OK and works correctly.


Note You need to log in before you can comment on or make changes to this bug.