Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-2613

iio-sensor-proxy service is not STIG compliant

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Normal Normal
    • None
    • rhel-8.10
    • selinux-policy
    • None
    • None
    • Moderate
    • rhel-sst-security-selinux
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • None

      STIG requires that no service execute in unconfined_service_t context (CCE-80867-5).

      Because the executable started by the service unit /usr/lib/systemd/system/iio-sensor-proxy.service is labeled with bin_t, the process becomes unconfined_service_t, which is not acceptable:

      # grep ExecStart /usr/lib/systemd/system/iio-sensor-proxy.service
      ExecStart=/usr/sbin/iio-sensor-proxy
      
      # ls -Z /usr/sbin/iio-sensor-proxy
      system_u:object_r:bin_t:s0 /usr/sbin/iio-sensor-proxy

      Please fix this, a quick fix is to wrap the executable in a shell:

      ExecStart=/bin/sh -c /usr/sbin/iio-sensor-proxy

      But ideally a dedicated type should be created with appropriate rules.

              rhn-support-zpytela Zdenek Pytela
              rhn-support-rmetrich Renaud Métrich
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: