SELinux: Redis server running unconfined when installed from sources

[serhii-shnurenko]

👻 Brief Description

When redis installed from sources, SELinux context type of redis-server binary is bin_t which makes the process run unconfined. redis_exec_t file context must be used for redis-server binary or context configured with processmanager (systemd)

🥞 Cookbook version

4.2.0

👩‍🍳 Chef-Infra Version

Chef Infra Client: 15.12.22

🎩 Platform details

CentOS Linux release 7.9.2009 (Core)
Selinux in enforcing mode

$ getenforce
Enforcing

Steps To Reproduce

Steps to reproduce the behavior:

1. Converge cookbook using installation from sources
2. Perform ps axZ | grep redis-server

system_u:system_r:unconfined_service_t:s0 1532 ? Ssl 166:46 /usr/local/bin/redis-server *:0
system_u:system_r:unconfined_service_t:s0 11303 ? Ssl 443:17 /usr/local/bin/redis-server *:0
....

Service running unconfined

🚓 Expected behavior

When running ps axZ | grep redis-server output should be like this:

system_u:system_r:redis_t:s0    10843 ?        Ssl    0:00 /usr/local/bin/redis-server *:0
system_u:system_r:redis_t:s0    10890 ?        Ssl    0:00 /usr/local/bin/redis-server *:0
....

redis running under the system_u:system_r:redis_t context.

[ramereth]

@ErvinSh please feel free to make a PR which addresses this and we can get this merged/released.