Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-69450

Confine the tuned-ppd service

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: Generate New Ti...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • selinux-policy-40.13.28-1.el10
    • None
    • Moderate
    • 2
    • rhel-security-selinux
    • ssg_security
    • 8
    • 3
    • QE ack
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • SELINUX 250402: 4, SELINUX 250423: 5
    • Hide

      The tuned-ppd service is confined by SELinux. The service starts and runs in enforcing mode. The service does not trigger any SELinux denials in default configuration.

      Show
      The tuned-ppd service is confined by SELinux. The service starts and runs in enforcing mode. The service does not trigger any SELinux denials in default configuration.
    • Pass
    • Automated
    • Enhancement
    • Hide
      .Additional services confined in the SELinux policy

      This update adds additional rules to the SELinux policy that confine the following `systemd` services:

      * `switcheroo-control`
      * `tuned-ppd`

      As a result, these services no longer run with the `unconfined_service_t` SELinux label, which violated the CIS Server Level 2 benchmark "Ensure No Daemons are Unconfined by SELinux" rule, and run successfully in SELinux enforcing mode.
      Show
      .Additional services confined in the SELinux policy This update adds additional rules to the SELinux policy that confine the following `systemd` services: * `switcheroo-control` * `tuned-ppd` As a result, these services no longer run with the `unconfined_service_t` SELinux label, which violated the CIS Server Level 2 benchmark "Ensure No Daemons are Unconfined by SELinux" rule, and run successfully in SELinux enforcing mode.
    • Done
    • x86_64
    • None

      What were you trying to do that didn't work?

      the tuned-ppd package and service replaces power-profiles-daemon in RHEL 10

      https://pes.osci.redhat.com/?detail=14969

      Please provide the package NVR for which bug is seen:

      tuned-ppd-2.24.0-2.el10.noarch

      How reproducible:

      always

      Steps to reproduce

      1. Check the process label via "ps -eZ|egrep 'unconfined_service_t'"

      Expected results

      the tuned-adm process(es) are confined by SELinux, they do not run under the "unconfined_service_t" label

      Actual results

       

        1. test-output.txt
          26 kB

              rhn-support-zpytela Zdenek Pytela
              rhn-support-yalu Yanquan Lu
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: