694881 – Please add policy for corosync-notifyd (runs as initrc_t)

Bug 694881 - Please add policy for corosync-notifyd (runs as initrc_t)

Summary: Please add policy for corosync-notifyd (runs as initrc_t)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	832330
TreeView+	depends on / blocked

Reported:	2011-04-08 17:51 UTC by Jaroslav Kortus
Modified:	2014-06-17 14:07 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-3.7.19-106.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-06 10:07:29 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1511	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-12-06 00:39:17 UTC

Description Jaroslav Kortus 2011-04-08 17:51:25 UTC

Description of problem:
corosync-notifyd does not have it's own policy and keeps initrc_t after startup

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-82.el6.noarch

How reproducible:
100%


Steps to Reproduce:
1.service corosync-notifyd start
2.
3.
  
Actual results:
initrc_t context

Expected results:
corosync-notifyd's own context

Additional info:
This is needed together with foghorn policy (bug 693792) to have full selinux coverage of added cluster SNMP functionality.

Comment 1 Daniel Walsh 2011-04-08 18:14:13 UTC

If this is not causing any AVC's I believe we should put this off until 6.2

Comment 2 Miroslav Grepl 2011-04-11 07:17:09 UTC

Jaroslav,
I am not seeing AVC msgs, can you confirm it with your configuration?


You could also try to play with the following labeling

chcon -t corosync_exec_t /usr/sbin/corosync-notifyd


which I believe it could also work.

Comment 3 Jaroslav Kortus 2011-04-11 09:23:54 UTC

I've not noticed any denial (yet), but that's IMHO not surprising in initrc_t context.

Comment 4 Miroslav Grepl 2011-04-11 10:27:33 UTC

Well, actually there could be AVC msgs. Other cluster domains could talk with this daemon which could cause issues.

Comment 8 Miroslav Grepl 2011-06-29 13:55:57 UTC

Fixed in selinux-policy-3.7.19-101.el6

Comment 11 Miroslav Grepl 2011-08-02 06:35:56 UTC

Fixed in selinux-policy-3.7.19-106.el6

Comment 14 errata-xmlrpc 2011-12-06 10:07:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html

Note You need to log in before you can comment on or make changes to this bug.