Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-69526

Confine the tuned-ppd service

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: Generate New Ti...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • selinux-policy-38.1.55-1.el9
    • None
    • Moderate
    • 2
    • rhel-security-selinux
    • ssg_security
    • 8
    • 3
    • QE ack
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • SELINUX 250402: 4, SELINUX 250423: 5
    • Hide

      The tuned-ppd service is confined by SELinux. The service starts and runs in enforcing mode. The service does not trigger any SELinux denials in default configuration.

      Show
      The tuned-ppd service is confined by SELinux. The service starts and runs in enforcing mode. The service does not trigger any SELinux denials in default configuration.
    • Pass
    • Automated
    • Enhancement
    • Hide
      .`tuned-ppd` confined in the SELinux policy

      RHEL 9.7 adds additional rules to the SELinux policy that confine the `tuned-ppd` service. Before this update, the service ran with the `unconfined_service_t` SELinux label, which violated the CIS Server Level 2 benchmark "Ensure No Daemons are Unconfined by SELinux" rule. With this update, the service is no longer unconfined and runs successfully in SELinux enforcing mode.
      Show
      .`tuned-ppd` confined in the SELinux policy RHEL 9.7 adds additional rules to the SELinux policy that confine the `tuned-ppd` service. Before this update, the service ran with the `unconfined_service_t` SELinux label, which violated the CIS Server Level 2 benchmark "Ensure No Daemons are Unconfined by SELinux" rule. With this update, the service is no longer unconfined and runs successfully in SELinux enforcing mode.
    • Done
    • Done
    • Done
    • x86_64
    • None

      What were you trying to do that didn't work?

      the tuned-ppd package and service replaces power-profiles-daemon in RHEL 10

      https://pes.osci.redhat.com/?detail=14969

      Please provide the package NVR for which bug is seen:

      tuned-ppd-2.24.0-2.el9.noarch

      How reproducible:

      always

      Steps to reproduce

      1. Check the process label via "ps -eZ|egrep 'unconfined_service_t'"

      Expected results

      the tuned-adm process(es) are confined by SELinux, they do not run under the "unconfined_service_t" label

      Actual results

       

              rhn-support-zpytela Zdenek Pytela
              rhn-support-yalu Yanquan Lu
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Zuzana Fantini Zoubkova Zuzana Fantini Zoubkova
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: