Bug 985331 - osad runs as initrc_t
osad runs as initrc_t
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.4
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks: 832330 982272
  Show dependency treegraph
 
Reported: 2013-07-17 06:07 EDT by Martin Minar
Modified: 2016-07-03 20:57 EDT (History)
7 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-245.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-14 03:57:00 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Minar 2013-07-17 06:07:17 EDT
Description of problem:
# ps -axZ
unconfined_u:system_r:initrc_t:s0 14573 pts/0  S      0:00 /usr/bin/python /usr/sbin/osad --pid-file /var/run/osad.pid

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-195.el6_4.12.noarch
selinux-policy-targeted-3.7.19-195.el6_4.12.noarch
RHEL 6.4

How reproducible:
1of1

Steps to Reproduce:
1. yum install osad
2. service osad start
3. ps -axZ

Actual results:
Running as initrc_t

Expected results:
It should run under it's own label.

Additional info:
Not causing additional issues.
Comment 2 Miroslav Grepl 2013-07-23 10:18:36 EDT
What does exactly osad do? It looks we could treat it with rhnsd_t policy (policy for rhnsd service).
Comment 3 Lukas Vrabec 2014-06-09 08:14:47 EDT
We have policy for osad in F20/RHEL7, I'll back port it.
Comment 4 Lukas Vrabec 2014-06-10 10:30:08 EDT
I sent patch with osad policy to Mirek.
Comment 6 Lukas Vrabec 2014-06-25 08:54:09 EDT
commit 7e2644541bf4e3efd21dfd279709c9bcf6a29208
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Wed Jun 25 14:53:03 2014 +0200

    Allow osad to read localization

patch sent.
Comment 10 Lukas Vrabec 2014-07-02 05:58:59 EDT
Yep, I see it, backport changes from RHEL7.
Comment 11 Lukas Vrabec 2014-07-02 07:52:19 EDT
sent patch.
Comment 14 Lukas Vrabec 2014-07-16 09:57:58 EDT
path sent.

commit c4f0626d4062b096a71d03ba7f9517a412735ca4
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Wed Jul 16 15:49:04 2014 +0200

    Fix AVCs related to bug BZ #985331
Comment 17 Lukas Vrabec 2014-07-21 13:59:05 EDT
Milos, 

I cannot find anything related to osa_dispatcher_t in selinux-policy, isn't it some policy which we don't ship? 

Thank you!
Comment 18 Milos Malik 2014-07-22 10:23:50 EDT
Following RPMs were installed on the machine where the AVC appeared:
 * osa-dispatcher
 * osa-dispatcher-selinux
 * osad

You can find them in brew under osad component. The machine was installed according to Satellite QE recommendations.
Comment 19 Lukas Vrabec 2014-07-23 05:33:59 EDT
yep, I see. 

But this is issue for osa-dispatcher guys.
Comment 20 Miroslav Grepl 2014-07-23 05:44:57 EDT
Is it correct we have osad policy in our policy?
Comment 21 Milos Malik 2014-07-23 05:51:53 EDT
(In reply to Miroslav Grepl from comment #20)
> Is it correct we have osad policy in our policy?

That was also my concern, when I found the osa-dispatcher-selinux RPM. But the osad file is ignored by the policy module (is not labeled when the module is active).
Comment 22 Lukas Vrabec 2014-07-23 07:39:42 EDT
I think we should invite to this conversation somebody from osa-dispatcher, and find reason why is osad files are ignored as Milos said.
Comment 23 Miroslav Grepl 2014-07-24 10:10:51 EDT
(In reply to Milos Malik from comment #21)
> (In reply to Miroslav Grepl from comment #20)
> > Is it correct we have osad policy in our policy?
> 
> That was also my concern, when I found the osa-dispatcher-selinux RPM. But
> the osad file is ignored by the policy module (is not labeled when the
> module is active).

Not sure what you think.
Comment 24 Milos Malik 2014-07-24 10:45:56 EDT
EIther we can persuade the maintainers of osad component to modify osa-dispatcher-selinux so it covers the /usr/sbin/osad file too. Or we will have a policy module dedicated to osad among usual policy modules which are shipped in selinux-policy.
Comment 25 Lukas Vrabec 2014-07-25 08:03:24 EDT
After discussion with Mirek we prefer that osa-dispatcher maintainers will cover osad too. 

I need find somebody who is responsible for osa-dispatcher.
Comment 26 Lukas Vrabec 2014-08-13 08:13:54 EDT
Milan, 

Is it possible to contact somebody from osa-dispatcher? 

Thank you!
Comment 27 Milan Zázrivec 2014-08-13 08:16:52 EDT
I'm no longer working on the Spacewalk project / Satellite product.

I'll leave this information for Cliff Perry, the Sat. manager to answer.
Comment 31 errata-xmlrpc 2014-10-14 03:57:00 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html

Note You need to log in before you can comment on or make changes to this bug.