Description of problem: NTO runs stalld as unconfined_service_T $ ps -eZ | grep "unconfined_service_t" system_u:system_r:unconfined_service_t:s0 16962 ? 00:00:31 stalld Version-Release number of selected component (if applicable): OCP 4.10 How reproducible: 100% Steps to Reproduce: 1. Install PAO 2. Create PerformanceProfile 3. This will make NTO install stalld Actual results: This unconfined_service_t type service is violating Compliance Operator check "Ensure No Daemons are Unconfined by SELinux". For the above standard we have this KCS: https://access.redhat.com/solutions/6714611 Expected results: Stalld should run as different SELinux type Additional info: I can confirm quickly adding "/bin/sh -c" in front of ExecStart could simply change the unconfined_service_t to initrc_t.
Closing as this is not an NTO BZ. NTO/PAO does not own stalld. It can only start/stop/disable a service which happens to be stalld. Filed https://bugzilla.redhat.com/show_bug.cgi?id=2111030 to have this addressed in RHEL/RHCOS 8.6. Slack chat: https://coreos.slack.com/archives/CQNBUEVM2/p1658825875245059 Note this is already fixed upstream in selinux-policy-targeted-36.7 and higher.