Bug 472609 - cimserver process requires "kill" access when PEGASUS_ENABLE_PRIVILEGE_SEPARATION enabled
Summary: cimserver process requires "kill" access when PEGASUS_ENABLE_PRIVILEGE_SEPARA...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: tog-pegasus
Version: 5.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Vitezslav Crhonek
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-11-22 00:49 UTC by Denise Eckstein
Modified: 2009-03-05 16:50 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-03-05 16:33:57 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Denise Eckstein 2008-11-22 00:49:18 UTC
Description of problem:

If the CIM Server is built with PEGASUS_ENABLE_PRIVILEGE_SEPARATION enabled, the cimserver process is split into two processes, cimserver and cimservermain.  cimservermain is the larger of the two processes and runs in a non-privileged context.  The cimserver process runs as a privileged users.

When "/etc/init.d/tog-pegasus stop" is called a SIGTERM is sent to the cimserver process.  The cimserver process is then responsible for killing the cimservermain process.

If SELinux is enabled, this operation fails with the following error.
Nov 19 09:28:23 bwindi setroubleshoot:      SELinux is preventing /usr/sbin/cimserver (pegasus_t) "kill" access to <Unknown> (pegasus_t).      For complete SELinux messages. run sealert -l 40aba5be-b6a3-4a61-8837-3c1b26836530

[root@bwindi log]# sealert -l 40aba5be-b6a3-4a61-8837-3c1b26836530
Summary
    SELinux is preventing /usr/sbin/cimserver (pegasus_t) "kill" access to
    <Unknown> (pegasus_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/cimserver. It is not expected
    that this access is required by /usr/sbin/cimserver and this access may
    signal an intrusion attempt. It is also possible that the specific version
    or configuration of the application is causing it to require additional
    access. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown>. There is currently no automatic way to allow this access.
    Instead, you can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
    disable SELinux protection entirely for the application. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
    Changing the "pegasus_disable_trans" boolean to true will disable SELinux
    protection this application: "setsebool -P pegasus_disable_trans=1."

    The following command will allow this access:
    setsebool -P pegasus_disable_trans=1

Additional Information        

Source Context                root:system_r:pegasus_t
Target Context                root:system_r:pegasus_t
Target Objects                None [ capability ]
Affected RPM Packages         tog-pegasus-2.9.0-1.el5 [application]
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.disable_trans
Host Name                     bwindi.cup.hp.com
Platform                      Linux bwindi.cup.hp.com 2.6.18-65.el5.bz248052 #1
                              SMP Wed Jan 9 16:05:55 EST 2008 x86_64 x86_64
Alert Count                   90
Line Numbers                  

Raw Audit Messages            

avc: denied { kill } for comm="cimserver" egid=0 euid=0
exe="/usr/sbin/cimserver" exit=-1 fsgid=0 fsuid=0 gid=0 items=0 pid=21675
scontext=root:system_r:pegasus_t:s0 sgid=0 subj=root:system_r:pegasus_t:s0
suid=0 tclass=capability tcontext=root:system_r:pegasus_t:s0 tty=(none) uid=0




Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Vitezslav Crhonek 2009-03-05 16:33:57 UTC
Because PEGASUS_ENABLE_PRIVILEGE_SEPARATION is disabled in tog-pegasus shipped in RHEL, we won't change the default policy to give cimserver kill access.

Please consider building own SELinux module:
http://magazine.redhat.com/2007/08/21/a-step-by-step-guide-to-building-a-new-selinux-policy-module/

Put this into new module to give cimserver desired access:
#============= pegasus_t ==============
allow pegasus_t self:capability kill;

Comment 2 Denise Eckstein 2009-03-05 16:50:57 UTC
Thanks for the pointer.  Using our own SELinux module would definitely make support for SELinux easier.

Thanks,
Denise


Note You need to log in before you can comment on or make changes to this bug.