Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-83267

[rhel-10] the switcheroo-control service runs under unconfined_service_t label

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • selinux-policy-40.13.27-1.el10
    • None
    • Moderate
    • 2
    • rhel-security-selinux
    • ssg_security
    • 6
    • 1
    • QE ack
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • SELINUX 250402: 4, SELINUX 250423: 5
    • Hide

      The switcheroo-control service is confined by SELinux. The service starts and runs in enforcing mode. The service does not trigger any SELinux denials in default configuration.

      Show
      The switcheroo-control service is confined by SELinux. The service starts and runs in enforcing mode. The service does not trigger any SELinux denials in default configuration.
    • Pass
    • Automated
    • Release Note Not Required
    • Documented in RHEL-69450
    • x86_64
    • None

      What were you trying to do that didn't work?

      the switcheroo-control process runs under "unconfined_service_t" label which means that the system can't pass theĀ 
      CIS 9 - "1.6.1.6 Ensure no unconfined services exist (Automated)".

      Please provide the package NVR for which bug is seen:

      selinux-policy-40.13.26-1.el10.noarch
      selinux-policy-targeted-40.13.26-1.el10.noarch
      switcheroo-control-2.6-7.el10.x86_64

      How reproducible:

      always

      Steps to reproduce

      1. Fresh install the RHEL-10 with "Server with GUI".
      2. Switch the system to graphical.target via "systemctl set-default graphical.target"
      3. Check the process label via "ps -eZ|egrep 'unconfined_service_t'"

      Expected results

      the switcheroo-controlĀ process(es) are confined by SELinux, they do not run under the "unconfined_service_t" label

      Actual results

      # cat /etc/redhat-release 
Red Hat Enterprise Linux release 10.0 Beta (Coughlan)
# ps -efZ | grep switcheroo
system_u:system_r:unconfined_service_t:s0 root 5255    1  0 14:30 ?        00:00:00 /usr/libexec/switcheroo-control
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 5274 5054  0 14:37 pts/0 00:00:00 grep --color=auto switcheroo
#

        1. test-output.txt
          20 kB

              rhn-support-zpytela Zdenek Pytela
              rhn-support-yalu Yanquan Lu
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: