Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Minor
Fix Version/s: rhel-9.6
Affects Version/s: rhel-9.3.0.z
Component/s: selinux-policy
Labels:
- new-policy

Regression:
None
Severity:
Moderate
Epic Link:
SELINUX-3594
sprint_count:
1

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Story Points:
3
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Products:

Red Hat Enterprise Linux
Sprint:
CY24Q2

Acceptance Criteria:

Hide

The switcheroo-control service is confined by SELinux. The service starts and runs in enforcing mode. The service does not trigger any SELinux denials in default configuration.

Show
The switcheroo-control service is confined by SELinux. The service starts and runs in enforcing mode. The service does not trigger any SELinux denials in default configuration.
Preliminary Testing:
None
Test Coverage:

Automated

Release Note Type:
Unspecified Release Note Type - Unknown

Experience:
Architecture:

x86_64

PX Impact Score:
PX Priority Data:
PX Review Complete:
PX Scheduling Request:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

the switcheroo-control process runs under "unconfined_service_t" label which means that the system can't pass the
CIS 9 - "1.6.1.6 Ensure no unconfined services exist (Automated)".

Please provide the package NVR for which bug is seen:

How reproducible:

always

Steps to reproduce

Fresh install the RHEL9 with "Server with GUI".
Switch the system to graphical.target via "systemctl set-default graphical.target"
Check the process label via "ps -eZ|egrep 'unconfined_service_t'"

Expected results

the switcheroo-control process(es) are confined by SELinux, they do not run under the "unconfined_service_t" label

Actual results

# cat /etc/redhat-release
Red Hat Enterprise Linux release 9.3 (Plow)
# systemctl get-default
graphical.target
# ps -eZ|egrep 'unconfined_service_t'
system_u:system_r:unconfined_service_t:s0 862 ?  00:00:00 power-profiles-
system_u:system_r:unconfined_service_t:s0 865 ?  00:00:00 switcheroo-cont
#

is cloned by

RHEL-61117 [rhel-9] the power-profiles-daemon service runs under unconfined_service_t label

Planning

links to

KB: System is not complying to CIS Server Level 2 due to having custom services run in "unconfined_service_t" context

TCMS Test Case 617899

mentioned in: Page Loading...

Assignee:: Zdenek Pytela

Reporter:: Yanquan Lu

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2024/02/06 6:03 AM

Updated:: 2024/10/23 2:01 PM

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates