redisio
redisio copied to clipboard
SELinux: Redis server running unconfined when installed from sources
:ghost: Brief Description
When redis installed from sources, SELinux context type of redis-server
binary is bin_t
which makes the process run unconfined. redis_exec_t
file context must be used for redis-server binary or context configured with processmanager (systemd)
:pancakes: Cookbook version
4.2.0
:woman_cook: Chef-Infra Version
Chef Infra Client: 15.12.22
:tophat: Platform details
CentOS Linux release 7.9.2009 (Core) Selinux in enforcing mode
$ getenforce
Enforcing
Steps To Reproduce
Steps to reproduce the behavior:
- Converge cookbook using installation from sources
- Perform
ps axZ | grep redis-server
system_u:system_r:unconfined_service_t:s0 1532 ? Ssl 166:46 /usr/local/bin/redis-server *:0
system_u:system_r:unconfined_service_t:s0 11303 ? Ssl 443:17 /usr/local/bin/redis-server *:0
....
Service running unconfined
:police_car: Expected behavior
When running ps axZ | grep redis-server
output should be like this:
system_u:system_r:redis_t:s0 10843 ? Ssl 0:00 /usr/local/bin/redis-server *:0
system_u:system_r:redis_t:s0 10890 ? Ssl 0:00 /usr/local/bin/redis-server *:0
....
redis running under the system_u:system_r:redis_t
context.
@ervinsh please feel free to make a PR which addresses this and we can get this merged/released.