Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: rhel-9.6
Affects Version/s: rhel-9.3.0.z
Component/s: selinux-policy
Labels:
- AutoVerified
- new-policy

Fixed in Build:
selinux-policy-38.1.53-2.el9
Regression:
None
Severity:
Moderate
Epic Link:
SELINUX-3594
sprint_count:
3

AssignedTeam:
rhel-security-selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
25
Story Points:
3
ACKs Check:

QE ack
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Products:

Red Hat Enterprise Linux
Sprint:
SELINUX 241106 - 241127, SELINUX 241127 - 241218, SELINUX 250129: 1

Acceptance Criteria:

Hide

The power-profiles-daemon service is confined by SELinux. The service starts and runs in enforcing mode. The service does not trigger any SELinux denials in default configuration.

Show
The power-profiles-daemon service is confined by SELinux. The service starts and runs in enforcing mode. The service does not trigger any SELinux denials in default configuration.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/139849
Test Coverage:

Automated

Release Note Type:
Release Note Not Required
Release Note Text:
documented in ~~RHEL-17346~~
Release Note Status:
Done

Experience:
Architecture:

x86_64

PX Impact Score:
PX Priority Data:
PX Review Complete:
PX Scheduling Request:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

the power-profiles-daemon process runs under the "unconfined_service_t" label which means that the system can't pass the CIS 9 - "1.6.1.6 Ensure no unconfined services exist (Automated)".

Please provide the package NVR for which bug is seen:

How reproducible:

always

Steps to reproduce

Fresh install the RHEL9 with "Server with GUI".
Switch the system to graphical.target via "systemctl set-default graphical.target"
Check the process label via "ps -eZ|egrep 'unconfined_service_t'"

Expected results

the power-profiles-daemon process(es) are confined by SELinux, they do not run under the "unconfined_service_t" label

Actual results

# cat /etc/redhat-release
Red Hat Enterprise Linux release 9.3 (Plow)
# systemctl get-default
graphical.target
# ps -eZ|egrep 'unconfined_service_t'
system_u:system_r:unconfined_service_t:s0 862 ?  00:00:00 power-profiles-
system_u:system_r:unconfined_service_t:s0 865 ?  00:00:00 switcheroo-cont
#

clones

RHEL-24268 [rhel-9] the switcheroo-control service runs under unconfined_service_t label

Closed

is cloned by

RHEL-62356 [rhel-10] the power-profiles-daemon service runs under unconfined_service_t label

Closed

links to

github pr

KB: System is not complying to CIS Server Level 2 due to having custom services run in "unconfined_service_t" context

RHBA-2024:139849 selinux-policy bug fix and enhancement update

TCMS Test Case 617900

mentioned in: Page Loading...

(1 links to, 1 mentioned in)

Assignee:: Zdenek Pytela

Reporter:: Yanquan Lu

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Doc Contact:: Jan Fiala

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2024/10/01 7:27 AM

Updated:: 2025/05/13 8:40 AM

Resolved:: 2025/05/13 8:40 AM

Target end:: 2025/02/10

Next Planned Release Date:: 2025/05/13

Release Date:: 2025/05/13

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates