Loading...

XML

Word

Printable

Type: Bug
Resolution: Won't Do
Priority: Normal
Fix Version/s: None
Affects Version/s: rhel-8.10
Component/s: selinux-policy
Labels:
None

Regression:
None
Severity:
Moderate

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Story Points:
None
Target Version:

rhel-8.8.0
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Products:

Red Hat Enterprise Linux
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

Experience:

PX Impact Score:
PX Technical Impact:
PX Impact Range:
PX Priority Data:
PX Review Complete:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

STIG requires that no service execute in unconfined_service_t context (CCE-80867-5).

Because the executable started by the service unit /usr/lib/systemd/system/iio-sensor-proxy.service is labeled with bin_t, the process becomes unconfined_service_t, which is not acceptable:

# grep ExecStart /usr/lib/systemd/system/iio-sensor-proxy.service
ExecStart=/usr/sbin/iio-sensor-proxy

# ls -Z /usr/sbin/iio-sensor-proxy
system_u:object_r:bin_t:s0 /usr/sbin/iio-sensor-proxy

Please fix this, a quick fix is to wrap the executable in a shell:

ExecStart=/bin/sh -c /usr/sbin/iio-sensor-proxy

But ideally a dedicated type should be created with appropriate rules.

duplicates

RHEL-17346 [rhel-9] the iio-sensor-proxy service is not confined by SELinux

Release Pending

RHEL-62355 [rhel-10] the iio-sensor-proxy service is not confined by SELinux

Release Pending

Assignee:: Zdenek Pytela

Reporter:: Renaud Métrich

Developer:: Zdenek Pytela

QA Contact:: SSG Security QE

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2023/09/04 3:03 PM

Updated:: 2024/10/15 3:00 AM

Resolved:: 2024/02/09 11:09 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates