Description of problem: The cimserver command behaves unexpectedly when SELinux policies are inactive. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. chcon -u root -r object_r -t usr_t /usr/lib/Pegasus/providers/libOSProvider.so.1 2. setsebool pegasus_disable_trans true 3. cimserver 4. osinfo FAILURE: OpenPegasus SELinux Policy testing is still enabled 5. cimserver -s 6. chcon -u system_u -r object_r -t shlib_t /usr/lib/Pegasus/providers/libOSProvider.so.1 Actual results: osinfo error: CIM_ERR_FAILED: A general error occurred that is not covered by a more specific error code: "ProviderLoadFailure (/usr/lib64/Pegasus/providers/libOSProvider.so:PG_OperatingSystemProvider):Cann ot load library, error: /usr/lib64/Pegasus/providers/libOSProvider.so: failed to map segment from shared object: Permission denied" Expected results: Additional info: The same sequence behaves as expected if the /etc/init.d/tog-pegasus command is used to start and stop the cimserver. # chcon -u root -r object_r -t usr_t /usr/lib/Pegasus/providers/libOSProvider.so.1 # setsebool pegasus_disable_trans true # /etc/init.d/tog-pegasus start # osinfo # /etc/init.d/tog-pegasus stop # chcon -u system_u -r object_r -t shlib_t /usr/lib/Pegasus/providers/libOSProvider.so.1
The default SELinux file context for /usr/lib/Pegasus/providers/* is system_u:object_r:shlib_t . This is the only context that cimserver is allowed to dynamically load by the SELinux policy of selinux-policy-targeted-1.17.30-2.134 . So why would you want to manually change the context of the provider libraries to something that cimserver cannot load under SELinux ? This does not seem to be something that users would realistically do, nor can I think of any reason for doing it. FIX: do not change the SELinux file context of the /usr/lib/Pegasus/providers/* shared libraries - the default file context is OK and works correctly.