-
Bug
-
Resolution: Won't Do
-
Normal
-
None
-
rhel-8.10
-
None
-
None
-
Moderate
-
rhel-sst-security-selinux
-
ssg_security
-
None
-
False
-
-
None
-
Red Hat Enterprise Linux
-
None
-
None
-
None
-
None
STIG requires that no service execute in unconfined_service_t context (CCE-80867-5).
Because the executable started by the service unit /usr/lib/systemd/system/iio-sensor-proxy.service is labeled with bin_t, the process becomes unconfined_service_t, which is not acceptable:
# grep ExecStart /usr/lib/systemd/system/iio-sensor-proxy.service ExecStart=/usr/sbin/iio-sensor-proxy # ls -Z /usr/sbin/iio-sensor-proxy system_u:object_r:bin_t:s0 /usr/sbin/iio-sensor-proxy
Please fix this, a quick fix is to wrap the executable in a shell:
ExecStart=/bin/sh -c /usr/sbin/iio-sensor-proxy
But ideally a dedicated type should be created with appropriate rules.
- duplicates
-
RHEL-17346 [rhel-9] the iio-sensor-proxy service is not confined by SELinux
- Release Pending
-
RHEL-62355 [rhel-10] the iio-sensor-proxy service is not confined by SELinux
- Release Pending