[RHEL-24268] [rhel-9] the switcheroo-control service runs under unconfined_service_t label - Red Hat Issue Tracker

Type: Bug
Resolution: Unresolved
Priority: Minor
Fix Version/s: rhel-9.6
Affects Version/s: rhel-9.3.0.z
Component/s: selinux-policy
Labels:
- AutoVerified
- new-policy

Fixed in Build:
selinux-policy-38.1.52-1.el9
Regression:
None
Severity:
Moderate
Epic Link:
SELINUX-3594
sprint_count:
2

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
25
Story Points:
3
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Products:

Red Hat Enterprise Linux
Sprint:
CY24Q2, SELINUX 250129: 1

Acceptance Criteria:

Hide

The switcheroo-control service is confined by SELinux. The service starts and runs in enforcing mode. The service does not trigger any SELinux denials in default configuration.

Show
The switcheroo-control service is confined by SELinux. The service starts and runs in enforcing mode. The service does not trigger any SELinux denials in default configuration.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/139849
Test Coverage:

Automated

Release Note Type:
Enhancement
Release Note Text:

Hide
Feature, enhancement:
Reason:
Result:

Show
Feature, enhancement: Reason: Result:

Experience:
Architecture:

x86_64

PX Impact Score:
PX Priority Data:
PX Review Complete:
PX Scheduling Request:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

the switcheroo-control process runs under "unconfined_service_t" label which means that the system can't pass the
CIS 9 - "1.6.1.6 Ensure no unconfined services exist (Automated)".

Please provide the package NVR for which bug is seen:

How reproducible:

always

Steps to reproduce

Fresh install the RHEL9 with "Server with GUI".
Switch the system to graphical.target via "systemctl set-default graphical.target"
Check the process label via "ps -eZ|egrep 'unconfined_service_t'"

Expected results

the switcheroo-control process(es) are confined by SELinux, they do not run under the "unconfined_service_t" label

Actual results

# cat /etc/redhat-release
Red Hat Enterprise Linux release 9.3 (Plow)
# systemctl get-default
graphical.target
# ps -eZ|egrep 'unconfined_service_t'
system_u:system_r:unconfined_service_t:s0 862 ?  00:00:00 power-profiles-
system_u:system_r:unconfined_service_t:s0 865 ?  00:00:00 switcheroo-cont
#

is cloned by

RHEL-83267 [rhel-10] the switcheroo-control service runs under unconfined_service_t label

In Progress

RHEL-61117 [rhel-9] the power-profiles-daemon service runs under unconfined_service_t label

Release Pending

is duplicated by

RHEL-76186 SELinux is preventing /usr/libexec/switcheroo-control

Closed

links to

github pr

KB: System is not complying to CIS Server Level 2 due to having custom services run in "unconfined_service_t" context

RHBA-2024:139849 selinux-policy bug fix and enhancement update

TCMS Test Case 617899

mentioned in: Page Loading...

(3 links to, 1 mentioned in)

Assignee:: Zdenek Pytela

Reporter:: Yanquan Lu

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Doc Contact:: Jan Fiala

Votes:: 0 Vote for this issue

Watchers:: 11 Start watching this issue

Created:: 2024/02/06 6:03 AM

Updated:: 2025/03/12 6:31 PM

Target end:: 2025/02/10

Next Planned Release Date:: 2025/05/13

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide