-
Bug
-
Resolution: Unresolved
-
Major
-
rhel-8.7.0
-
pcp-5.3.7-19.el8
-
Major
-
sst_pt_pcp
-
ssg_platform_tools
-
10
-
13
-
2
-
QE ack, Dev ack
-
False
-
-
No
-
Pass
-
Release Note Not Required
-
-
All
Description of problem:
From STIG, CIS server level 1 profile requires no service to run as "unconfined_service_t" SELinux type.
It appears 2 PCP components run as such:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
system_u:system_r:unconfined_service_t:s0 pcp 2673 0.0 0.0 94688 4772 ? Ss May04 0:00 /usr/libexec/pcp/bin/pmpause
system_u:system_r:unconfined_service_t:s0 pcp 2853 0.0 0.0 94688 4744 ? Ss May04 0:00 /usr/libexec/pcp/bin/pmpause
├─pmie_farm.service
│ └─2673 /usr/libexec/pcp/bin/pmpause
├─pmlogger_farm.service
│ └─2853 /usr/libexec/pcp/bin/pmpause
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
This happens because the executables are labeled with "bin_t", which leads to the transition from "init_t" (child of systemd when becoming a service) to "unconfined_service_t".
These 2 executables are "service entrypoints", hence need to have a proper context.
It's possible the following contexts are suitable, but I cannot tell, maybe it's too loose:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
- chcon -t pcp_pmie_exec_t /usr/libexec/pcp/bin/pmie_farm
- chcon -t pcp_pmlogger_exec_t /usr/libexec/pcp/bin/pmlogger_farm
-
-
-
-
-
-
- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
-
-
-
-
-
-
Version-Release number of selected component (if applicable):
pcp-selinux-5.3.7-7.el8
How reproducible:
Always
Steps to Reproduce:
1. Start "pmie_farm.service" and "pmlogger_farm.service"
Actual results:
"unconfined_service_t"
Expected results:
some other context
- external trackers
- links to
-
RHBA-2023:124476
pcp bug fix and enhancement update
