Unconfined_service Fro Couchbase Process

HI Team,

While running CB server , we are observing most of CB services are showing unconfined_service_t. Could you help us why it is like that because while client run the Nessus scan report on this host, it caught and they asking for us to remediate the same.

[root@localhost ~]# ps -eZ | grep unconfined_service_t
system_u:system_r:unconfined_service_t:s0 749 ?  00:00:00 falcond
system_u:system_r:unconfined_service_t:s0 763 ?  02:21:54 falcon-sensor
system_u:system_r:unconfined_service_t:s0 1153264 ? 00:12:43 beam.smp
system_u:system_r:unconfined_service_t:s0 1153302 ? 00:00:00 erl_child_setup
system_u:system_r:unconfined_service_t:s0 1153348 ? 00:00:11 gosecrets
system_u:system_r:unconfined_service_t:s0 1153353 ? 07:09:36 beam.smp
system_u:system_r:unconfined_service_t:s0 1153378 ? 00:00:00 erl_child_setup
system_u:system_r:unconfined_service_t:s0 1153462 ? 00:00:08 sh
system_u:system_r:unconfined_service_t:s0 1153464 ? 00:00:25 memsup
system_u:system_r:unconfined_service_t:s0 1153465 ? 00:00:00 cpu_sup
system_u:system_r:unconfined_service_t:s0 1153508 ? 00:43:13 sigar_port
system_u:system_r:unconfined_service_t:s0 1153739 ? 00:00:01 inet_gethost
system_u:system_r:unconfined_service_t:s0 1153740 ? 00:00:01 inet_gethost
system_u:system_r:unconfined_service_t:s0 1153741 ? 00:00:06 saslauthd-port
system_u:system_r:unconfined_service_t:s0 1153761 ? 02:59:03 memcached
system_u:system_r:unconfined_service_t:s0 1154335 ? 00:22:41 beam.smp
system_u:system_r:unconfined_service_t:s0 1154344 ? 00:00:00 erl_child_setup
system_u:system_r:unconfined_service_t:s0 1154365 ? 00:00:00 sh
system_u:system_r:unconfined_service_t:s0 1154366 ? 00:00:01 memsup
system_u:system_r:unconfined_service_t:s0 1154368 ? 00:00:00 cpu_sup
system_u:system_r:unconfined_service_t:s0 1154373 ? 00:00:00 inet_gethost
system_u:system_r:unconfined_service_t:s0 1154374 ? 00:00:00 inet_gethost
system_u:system_r:unconfined_service_t:s0 1154375 ? 00:01:05 godu
system_u:system_r:unconfined_service_t:s0 1154376 ? 00:00:08 sh
system_u:system_r:unconfined_service_t:s0 1154380 ? 00:00:01 godu
system_u:system_r:unconfined_service_t:s0 1154398 ? 00:00:01 goport
system_u:system_r:unconfined_service_t:s0 1154402 ? 00:55:42 prometheus
system_u:system_r:unconfined_service_t:s0 1154414 ? 00:02:37 goport
system_u:system_r:unconfined_service_t:s0 1154419 ? 00:26:37 goxdcr
system_u:system_r:unconfined_service_t:s0 1155676 ? 00:02:30 goport
system_u:system_r:unconfined_service_t:s0 1155681 ? 01:40:34 indexer
system_u:system_r:unconfined_service_t:s0 1155696 ? 00:00:50 goport
system_u:system_r:unconfined_service_t:s0 1155701 ? 00:43:24 cbq-engine
system_u:system_r:unconfined_service_t:s0 1155714 ? 00:00:45 goport
system_u:system_r:unconfined_service_t:s0 1155719 ? 00:11:21 projector
system_u:system_r:unconfined_service_t:s0 1155720 ? 00:00:58 js-evaluator
system_u:system_r:unconfined_service_t:s0 1155801 ? 00:00:54 js-evaluator
[root@localhost ~]#

The host is SELINUX enabled and it is enforcing.

Thanks,
Debasis

There are two available settings

https://docs.couchbase.com/operator/current/resource/couchbasecluster.html#couchbaseclusters-spec-security-securitycontext-seccompprofile-type
https://docs.couchbase.com/operator/current/resource/couchbasecluster.html#couchbaseclusters-spec-security-podsecuritycontext-seccompprofile-type

Please refer to the Nessus documentation for further information on the remediation.

@mreiche These deployments are in bare-metal deployment not k8s deployment.

Thanks,
Debasis

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.