Bug 623920 - Define a selinux policy for test harness
Summary: Define a selinux policy for test harness
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Beaker
Classification: Retired
Component: beah
Version: 0.5
Hardware: All
OS: Linux
medium
high
Target Milestone: future_maint
Assignee: Marian Csontos
QA Contact:
URL:
Whiteboard:
Depends On: 669665
Blocks: 633239
TreeView+ depends on / blocked
 
Reported: 2010-08-13 06:58 UTC by Marian Csontos
Modified: 2011-03-11 13:48 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2011-03-11 13:48:20 UTC
Embargoed:

Attachments (Terms of Use)

Description Marian Csontos 2010-08-13 06:58:21 UTC 
The task should run under configurable context (unconfined_t a default) instead of initrc_t.

Taking following from Bug 620969#c1:

The big difference in running 'make run' on command line and from the job is
that in command line it runs as

  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

while when running under rhts/beaker as

  system_u:system_r:initrc_t:s0

The question is which one is correct?

I am in favor of unconfined_t:

- the shell and utilities should behave as on command line, should not they?
- for services (e.g. httpd) context transitions should be handled by policy

Actually this would be a configuration option with
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 as default.

See also following comments.
Comment 1 Ales Zelinka 2011-03-11 11:08:54 UTC 
ping, Any plans to implement this? Since RHTS times the dreaded initrc_t has caused many jobs to fail and time to be wasted...
Comment 2 Marian Csontos 2011-03-11 13:21:37 UTC 
FYI tasks run in unconfined_t context for some week now.
Comment 3 Ales Zelinka 2011-03-11 13:46:05 UTC 
good news, can we close this bug then?
Note You need to log in before you can comment on or make changes to this bug.