+++ This bug was initially created as a clone of Bug #556787 +++ Escalated to Bugzilla from IssueTracker --- Additional comment from tao on 2010-01-19 07:40:34 EST --- Event posted on 12-17-2009 04:15pm EST by csd-unix Description of problem: Daemons that SELinux policy does not know about will inherit the context of the parent process. Because daemons are launched during startup and descend from the init process, they inherit the initrc_t context. This is a problem because it may cause AVC denials, or it could allow privileges that the daemon does not require. On a clean install of RHNS 5.3 the following daemons are unconfined: rhnsearchd, cobblerd, taskomaticd. https://fedorahosted.org/spacewalk/wiki/Features/SELinux documents the fact that rhnsearchd and taskomaticd are unconfined. I have not seen any reference for cobblerd. How reproducible: always Steps to Reproduce: build an RHNS 5.3 and run /bin/ps -eZ | /bin/egrep "initrc" Actual results: root:system_r:initrc_t:s0 18520 ? 00:00:00 rhnsearchd root:system_r:initrc_t:s0 18570 ? 00:00:00 cobblerd root:system_r:initrc_t:s0 18595 ? 00:00:00 taskomaticd Expected results: no output [...] --- Additional comment from cperry on 2010-07-12 16:59:29 EDT --- Jan - please [...] provide as part of rules SELinux for RHEL 5 & 6 for taskomatic and search. For cobbler use the one cobbler defines and use it by default as well. Cliff.
The taskomaticd and rhnsearchd addressed in Spacewalk master, 809e0bbc35ebab9bb78976e50af6f79f72fd19e3.
Mass-moving to space13.
On Fedora 13 and 14, cobbler is confined as well: # ps axuwZ | grep cobbler unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 4509 0.0 0.1 4468 752 pts/1 S+ 15:39 0:00 grep --color=auto cobbler unconfined_u:system_r:cobblerd_t:s0 root 7534 0.0 0.5 51608 3952 ? S Nov19 0:35 /usr/bin/python /usr/bin/cobblerd --daemonize
With Spacewalk 1.2 released, marking as resolved, as both taskomaticd and rhnsearchd, and cobblerd on Fedoras via standard selinux-policy-targeted are covered.