Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-9.6
Affects Version/s: rhel-9.3.0.z
Component/s: selinux-policy
Labels:
- new-policy

Regression:
None
Severity:
Moderate
Epic Link:
SELINUX-3594
sprint_count:
1

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
20
Story Points:
3
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Products:

Red Hat Enterprise Linux
Sprint:
SELINUX 241106 - 241127

Acceptance Criteria:

Hide

The power-profiles-daemon service is confined by SELinux. The service starts and runs in enforcing mode. The service does not trigger any SELinux denials in default configuration.

Show
The power-profiles-daemon service is confined by SELinux. The service starts and runs in enforcing mode. The service does not trigger any SELinux denials in default configuration.
Preliminary Testing:
None
Test Coverage:

Automated

Release Note Type:
Unspecified Release Note Type - Unknown

Experience:
Architecture:

x86_64

PX Impact Score:
PX Priority Data:
PX Review Complete:
PX Scheduling Request:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

the power-profiles-daemon process runs under the "unconfined_service_t" label which means that the system can't pass the CIS 9 - "1.6.1.6 Ensure no unconfined services exist (Automated)".

Please provide the package NVR for which bug is seen:

How reproducible:

always

Steps to reproduce

Fresh install the RHEL9 with "Server with GUI".
Switch the system to graphical.target via "systemctl set-default graphical.target"
Check the process label via "ps -eZ|egrep 'unconfined_service_t'"

Expected results

the power-profiles-daemon process(es) are confined by SELinux, they do not run under the "unconfined_service_t" label

Actual results

# cat /etc/redhat-release
Red Hat Enterprise Linux release 9.3 (Plow)
# systemctl get-default
graphical.target
# ps -eZ|egrep 'unconfined_service_t'
system_u:system_r:unconfined_service_t:s0 862 ?  00:00:00 power-profiles-
system_u:system_r:unconfined_service_t:s0 865 ?  00:00:00 switcheroo-cont
#

clones

RHEL-24268 the switcheroo-control service runs under unconfined_service_t label

Planning

is cloned by

RHEL-62356 [rhel-10] the power-profiles-daemon service runs under unconfined_service_t label

Planning

links to

github pr

KB: System is not complying to CIS Server Level 2 due to having custom services run in "unconfined_service_t" context

TCMS Test Case 617900

mentioned in: Page Loading...

(1 mentioned in)

Assignee:: Zdenek Pytela

Reporter:: Yanquan Lu

Need Info From:: Jaroslav Skarvada

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/10/01 7:27 AM

Updated:: 2024/11/12 4:27 PM

Target end:: 2025/01/06

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates