Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-62355

[rhel-10] the iio-sensor-proxy service is not confined by SELinux

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • selinux-policy-40.13.11-1.el10
    • None
    • Moderate
    • 1
    • rhel-security-selinux
    • ssg_security
    • 11
    • 3
    • QE ack
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • SELINUX 241016 - 241106
    • Hide

      The iio-sensor-proxy service is confined by SELinux. The service starts and runs in enforcing mode. The service does not trigger any SELinux denials in default configuration.

      Show
      The iio-sensor-proxy service is confined by SELinux. The service starts and runs in enforcing mode. The service does not trigger any SELinux denials in default configuration.
    • Pass
    • Automated
    • Enhancement
    • Hide
      .Additional services confined in the SELinux policy

      This update adds additional rules to the SELinux policy that confine the following `systemd` services:

      * `iio-sensor-proxy`
      * `samba-bgqd`
      * `tlshd`
      * `gnome-remote-desktop`
      * `pcm-sensor-server`

      As a result, these services no longer run with the `unconfined_service_t` SELinux label, which violated the CIS Server Level 2 benchmark "Ensure No Daemons are Unconfined by SELinux" rule, and run successfully in SELinux enforcing mode.
      Show
      .Additional services confined in the SELinux policy This update adds additional rules to the SELinux policy that confine the following `systemd` services: * `iio-sensor-proxy` * `samba-bgqd` * `tlshd` * `gnome-remote-desktop` * `pcm-sensor-server` As a result, these services no longer run with the `unconfined_service_t` SELinux label, which violated the CIS Server Level 2 benchmark "Ensure No Daemons are Unconfined by SELinux" rule, and run successfully in SELinux enforcing mode.
    • Done
    • None

      Misconfiguration or something else?

      Steps to reproduce

      1. ps -eZ | grep "unconfined_service_t"
      2. I get:
        system_u:system_r:unconfined_service_t:s0 1589 ? 00:00:00 iio-sensor-prox
        system_u:system_r:unconfined_service_t:s0 5022 ? 00:00:00 switcheroo-cont

      Expected results

      All processess should be confined, and ps -eZ | grep "unconfined_service_t" shouldn't provide any results

              rhn-support-zpytela Zdenek Pytela
              arlakan Artur Polak (Inactive)
              Nikola Kňažeková Nikola Kňažeková (Inactive)
              Milos Malik Milos Malik
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: