Bug 1290633

Summary: Cannot run setup-ds.pl as confined user.
Product: Red Hat Enterprise Linux 7 Reporter: wibrown <wibrown>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: medium    
Version: 7.1CC: amsharma, emrakova, lvrabec, mgrepl, mmalik, mthacker, nhosoi, plautrba, pvrabec, ssekidde, vashirov, wibrown
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1330525 (view as bug list) Environment:
Last Closed: 2017-08-01 15:10:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1330525    

Description wibrown@redhat.com 2015-12-11 00:50:42 UTC
Description of problem:

Attempt to install 389-ds as a confined user.

# id -Z
staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023

# setup-ds.pl
/* Fails */
# ausearch -ts recent
type=AVC msg=audit(1449794559.462:4281): avc:  denied  { open } for  pid=13307 comm="perl" path="/etc/shadow" dev="dm-0" ino=529398 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1449794559.462:4281): avc:  denied  { read } for  pid=13307 comm="perl" name="shadow" dev="dm-0" ino=529398 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1449794628.065:4413): avc:  denied  { execute_no_trans } for  pid=13367 comm="ldif2db" path="/usr/sbin/ns-slapd" dev="dm-2" ino=4969883 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dirsrv_exec_t:s0 tclass=file
type=AVC msg=audit(1449794628.065:4413): avc:  denied  { execute } for  pid=13367 comm="ldif2db" name="ns-slapd" dev="dm-2" ino=4969883 scontext=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dirsrv_exec_t:s0 tclass=file

Server installation fails.

Expected results:

Server installation succeeds.

Comment 2 Amita Sharma 2017-04-19 14:57:45 UTC
I am following the last section of - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/sect-Security-Enhanced_Linux-Targeted_Policy-Confined_and_Unconfined_Users.html for configuring confined user which will have sudo permissions.

But I am facing issue below issue.

All steps with details
===========================
[root@auto-hv-02-guest09 ~]# semanage user -a -r s0-s0:c0.c1023 -R "user_r sysadm_r" SeLinux_user_u

[root@auto-hv-02-guest09 ~]# cp /etc/selinux/targeted/contexts/users/sysadm_u /etc/selinux/targeted/contexts/users/SeLinux_user_u

[root@auto-hv-02-guest09 ~]# useradd Se_test
[root@auto-hv-02-guest09 ~]# passwd Se_test
Changing password for user se_test.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: all authentication tokens updated successfully.

[root@auto-hv-02-guest09 ~]# semanage login -a -s SeLinux_user_u -rs0:c0.c1023 Se_test

[root@auto-hv-02-guest09 ~]# vim /etc/sudoers.d/Se_test
Se_test ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r /bin/sh


[root@auto-hv-02-guest09 ~]# restorecon -FR -v /home/Se_test/
restorecon reset /home/Se_test context unconfined_u:object_r:user_home_dir_t:s0->SeLinux_user_u:object_r:user_home_dir_t:s0
restorecon reset /home/Se_test/.bash_logout context unconfined_u:object_r:user_home_t:s0->SeLinux_user_u:object_r:user_home_t:s0
restorecon reset /home/Se_test/.bash_profile context unconfined_u:object_r:user_home_t:s0->SeLinux_user_u:object_r:user_home_t:s0
restorecon reset /home/Se_test/.bashrc context unconfined_u:object_r:user_home_t:s0->SeLinux_user_u:object_r:user_home_t:s0
restorecon reset /home/Se_test/.emacs context unconfined_u:object_r:user_home_t:s0->SeLinux_user_u:object_r:user_home_t:s0

**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
[Se_test@auto-hv-02-guest09 ~]$ id -Z
SeLinux_user_u:user_r:user_t:s0:c0.c1023
[Se_test@auto-hv-02-guest09 ~]$ sudo -i
sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted
sudo: no valid sudoers sources found, quitting
sudo: setresuid() [0, 0, 0] -> [1002, -1, -1]: Operation not permitted
sudo: unable to initialize policy plugin
[Se_test@auto-hv-02-guest09 ~]$ id -Z
SeLinux_user_u:user_r:user_t:s0:c0.c1023


[root@auto-hv-02-guest09 ~]# semanage user -l | grep SELinux
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
SELinux_user_u  user       s0         s0-s0:c0.c1023                 sysadm_r

[root@auto-hv-02-guest09 ~]# semanage login -l | grep SELinux
Login Name           SELinux User         MLS/MCS Range        Service
se_test              SELinux_user_u       s0:c0.c1023          *

==========================================================================================

I have my test machine in same state, if you want to take a look, plese send me a mail and I will share the setup details on mail.

Comment 3 Noriko Hosoi 2017-04-19 17:09:40 UTC
Note: There is a corresponding bug filed against 389-ds-base - Blocks: 1330525.
I'm asking this question to Ami on the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1330525#c8

Comment 4 Amita Sharma 2017-04-20 07:57:08 UTC
Getting selinux error, please check - https://bugzilla.redhat.com/show_bug.cgi?id=1330525#c9

Comment 5 Amita Sharma 2017-06-08 09:33:43 UTC
Getting selinux error, please check - https://bugzilla.redhat.com/show_bug.cgi?id=1330525#c14

Comment 10 Amita Sharma 2017-06-15 07:45:36 UTC
Error is changed now with [root@qeos-126 export]# rpm -qa | grep selinux-policy
selinux-policy-targeted-3.13.1-161.el7.noarch
selinux-policy-3.13.1-161.el7.noarch

----------------
[root@qeos-126 export]# rpm -qa | grep selinux-policy
selinux-policy-targeted-3.13.1-161.el7.noarch
selinux-policy-3.13.1-161.el7.noarch


[root@qeos-126 export]# semanage user -l
SELinuxUser LabelingPrefix   MLS/MCSLevel  MLS/MCSRange   SELinuxRoles
staff_u    user              s0           s0-s0:c0.c1023   staff_r sysadm_r

[root@qeos-126 export]# semanage login -l
Login Name           SELinux User         MLS/MCS Range        Service
amita                staff_u              s0:c0.c1023          *

-----------------------------

[amsharma@dhcp201-141 ~]$ ssh amita.174.203
amita.174.203's password: 
*** 1minutetip system created by amsharma - Thu Jun 15 03:15:37 EDT 2017 ***
[amita@qeos-126 ~]$ id -Z
staff_u:staff_r:staff_t:s0:c0.c1023
[amita@qeos-126 ~]$ sudo -i

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for amita: 
[root@qeos-126 ~]# setup-ds.pl

==============================================================================
This program will set up the 389 Directory Server.
.
.
.
.

Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user.  The password must
be at least 8 characters long, and contain no spaces.
Press Control-B or type the word "back", then Enter to back up and start over.

Directory Manager DN [cn=Directory Manager]: 
Password: 
Password (confirm): 
Could not import LDIF file '/tmp/ldifYgO_iV.ldif'.  Error: 59648.  Output: importing data ...
[15/Jun/2017:03:39:00.208661436 -0400] - INFO - ldbm_instance_config_cachememsize_set - force a minimal value 512000
[15/Jun/2017:03:39:00.216139940 -0400] - INFO - dblayer_instance_start - Import is running with nsslapd-db-private-import-mem on; No other process is allowed to access the database
[15/Jun/2017:03:39:00.216615521 -0400] - INFO - check_and_set_import_cache - pagesize: 4096, available bytes 1606987776, process usage 16822272 
[15/Jun/2017:03:39:00.216966060 -0400] - INFO - check_and_set_import_cache - Import allocates 627729KB import cache.
[15/Jun/2017:03:39:00.233169900 -0400] - INFO - import_main_offline - import userRoot: Beginning import job...
[15/Jun/2017:03:39:00.233885677 -0400] - INFO - import_main_offline - import userRoot: Index buffering enabled with bucket size 100
[15/Jun/2017:03:39:00.435199641 -0400] - ERR - import_producer - import userRoot: Could not open LDIF file "/tmp/ldifYgO_iV.ldif", errno 13 (Permission denied)
[15/Jun/2017:03:39:00.535521682 -0400] - ERR - import_run_pass - import userRoot: Thread monitoring returned: -23

[15/Jun/2017:03:39:00.536005270 -0400] - ERR - import_main_offline - import userRoot: Aborting all Import threads...
[15/Jun/2017:03:39:06.043056442 -0400] - ERR - import_main_offline - import userRoot: Import threads aborted.
[15/Jun/2017:03:39:06.043694865 -0400] - INFO - import_main_offline - import userRoot: Closing files...
[15/Jun/2017:03:39:06.045388420 -0400] - INFO - dblayer_pre_close - All database threads now stopped
[15/Jun/2017:03:39:06.045775026 -0400] - ERR - import_main_offline - import userRoot: Import failed.

Error: Could not create directory server instance 'qeos-126'.
Exiting . . .
Log file is '/tmp/setupW4J276.log'

Comment 11 Amita Sharma 2017-06-15 07:47:53 UTC
LOGS -
--------
[root@qeos-126 ~]# tail -f /var/log/audit/audit.log 
type=CRYPTO_KEY_USER msg=audit(1497512268.133:408): pid=11214 uid=0 auid=1001 ses=7 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:2c:46:1e:83:1c:cf:ac:58:07:2c:90:08:a7:75:b1:9a:43:65:f4:c0:1e:bc:ec:7c:33:8e:7d:75:ab:83:44:6e direction=? spid=11219 suid=1001  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_AUTH msg=audit(1497512287.164:409): pid=11239 uid=1001 auid=1001 ses=7 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_ACCT msg=audit(1497512287.166:410): pid=11239 uid=1001 auid=1001 ses=7 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_CMD msg=audit(1497512287.167:411): pid=11239 uid=1001 auid=1001 ses=7 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='cwd="/home/amita" cmd="-bash" terminal=pts/1 res=success'
type=CRED_REFR msg=audit(1497512287.167:412): pid=11239 uid=0 auid=1001 ses=7 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_START msg=audit(1497512287.169:413): pid=11239 uid=0 auid=1001 ses=7 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_ROLE_CHANGE msg=audit(1497512287.172:414): pid=11243 uid=0 auid=1001 ses=7 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='newrole: old-context=staff_u:staff_r:staff_t:s0:c0.c1023 new-context=staff_u:sysadm_r:sysadm_t:s0:c0.c1023 exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=AVC msg=audit(1497512340.433:415): avc:  denied  { open } for  pid=11310 comm="ns-slapd" path="/tmp/ldifYgO_iV.ldif" dev="vda1" ino=337257 scontext=staff_u:sysadm_r:dirsrv_t:s0:c0.c1023 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1497512340.433:415): arch=c000003e syscall=2 success=no exit=-13 a0=55b254390980 a1=0 a2=0 a3=7f8581aa78d0 items=0 ppid=11282 pid=11310 auid=1001 uid=389 gid=389 euid=389 suid=389 fsuid=389 egid=389 sgid=389 fsgid=389 tty=(none) ses=7 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=staff_u:sysadm_r:dirsrv_t:s0:c0.c1023 key=(null)
type=PROCTITLE msg=audit(1497512340.433:415): proctitle=2F7573722F7362696E2F6E732D736C617064006C646966326462002D44002F6574632F6469727372762F736C6170642D71656F732D313236002D6E0075736572726F6F74002D69002F746D702F6C64696659674F5F69562E6C646966

Comment 12 Lukas Vrabec 2017-06-15 10:23:55 UTC
Amita, 

Do you know which process created file: /tmp/ldifYgO_iV.ldif ? 

Thanks.

Comment 13 Amita Sharma 2017-06-19 09:05:08 UTC
(In reply to Lukas Vrabec from comment #12)
> Amita, 
> 
> Do you know which process created file: /tmp/ldifYgO_iV.ldif ? 

Hi Lukas, It is ns-slapd process of directory server. setup-ds.pl script creates this file.

> 
> Thanks.

Comment 14 Amita Sharma 2017-06-19 09:05:28 UTC
(In reply to Lukas Vrabec from comment #12)
> Amita, 
> 
> Do you know which process created file: /tmp/ldifYgO_iV.ldif ? 

Hi Lukas, It is ns-slapd process of directory server. setup-ds.pl script creates this file.

> 
> Thanks.

Comment 15 Amita Sharma 2017-06-21 10:59:01 UTC
With the lastest selinux build getting below error -
[root@qeos-161 export]# rpm -qa | grep selinux
selinux-policy-3.13.1-163.el7.noarch

[root@qeos-161 export]# semanage user -a -r s0-s0:c0.c1023 -R "staff_r sysadm_r" staff_u
[root@qeos-161 export]# useradd amita
[root@qeos-161 export]# passwd amita
Changing password for user amita.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@qeos-161 export]# semanage login -a -s staff_u -rs0:c0.c1023 amita
[root@qeos-161 export]# echo "amita   ALL=(ALL)  TYPE=sysadm_t ROLE=sysadm_r   /bin/sh " > /etc/sudoers.d/amita 
[root@qeos-161 export]# semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                 SELinux Roles
staff_u         user       s0         s0-s0:c0.c1023            staff_r sysadm_r

[root@qeos-161 export]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

amita                staff_u              s0:c0.c1023          *

[root@qeos-161 export]# restorecon -FR -v /home/amita/
restorecon reset /home/amita context unconfined_u:object_r:user_home_dir_t:s0->staff_u:object_r:user_home_dir_t:s0
restorecon reset /home/amita/.bash_logout context unconfined_u:object_r:user_home_t:s0->staff_u:object_r:user_home_t:s0
restorecon reset /home/amita/.bash_profile context unconfined_u:object_r:user_home_t:s0->staff_u:object_r:user_home_t:s0
restorecon reset /home/amita/.bashrc context unconfined_u:object_r:user_home_t:s0->staff_u:object_r:user_home_t:s0

[amsharma@dhcp201-141 upstream-tests]$ ssh amita.172.84
amita.172.84's password: 
*** 1minutetip system created by amsharma - Wed Jun 21 06:37:25 EDT 2017 ***
[amita@qeos-161 ~]$ id -Z
staff_u:staff_r:staff_t:s0:c0.c1023
[amita@qeos-161 ~]$ sudo -i

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for amita: 
-bash: /root/.bash_profile: Permission denied
-bash-4.2# 

LOGS
-----
[root@qeos-161 export]# tail -f /var/log/audit/audit.log 
type=USER_START msg=audit(1498042089.711:500): pid=12366 uid=0 auid=1000 ses=5 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.65.223.46 addr=10.65.223.46 terminal=/dev/pts/1 res=success'
type=CRYPTO_KEY_USER msg=audit(1498042089.720:501): pid=12366 uid=0 auid=1000 ses=5 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:7e:70:b3:82:e9:70:4a:76:f2:4e:77:a2:44:b8:d5:90:2d:ba:c5:6a:5b:c3:de:13:8e:ba:e3:f6:52:c5:2b:20 direction=? spid=12371 suid=1000  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_AUTH msg=audit(1498042106.461:502): pid=12391 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_ACCT msg=audit(1498042106.462:503): pid=12391 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_CMD msg=audit(1498042106.463:504): pid=12391 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='cwd="/home/amita" cmd="-bash" terminal=pts/1 res=success'
type=CRED_REFR msg=audit(1498042106.463:505): pid=12391 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_START msg=audit(1498042106.464:506): pid=12391 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=AVC msg=audit(1498042106.479:507): avc:  denied  { read } for  pid=12395 comm="bash" name=".bash_profile" dev="vda1" ino=2548495 scontext=staff_u:staff_r:staff_t:s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1498042106.479:507): arch=c000003e syscall=2 success=no exit=-13 a0=1405a70 a1=0 a2=435680 a3=7f2f5949f120 items=0 ppid=12391 pid=12395 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="bash" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0:c0.c1023 key=(null)
type=PROCTITLE msg=audit(1498042106.479:507): proctitle="-bash"
type=AVC msg=audit(1498042436.698:508): avc:  denied  { read } for  pid=12395 comm="bash" name=".bash_logout" dev="vda1" ino=2548494 scontext=staff_u:staff_r:staff_t:s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1498042436.698:508): arch=c000003e syscall=2 success=no exit=-13 a0=140e5a0 a1=0 a2=435680 a3=2 items=0 ppid=12391 pid=12395 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="bash" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0:c0.c1023 key=(null)
type=PROCTITLE msg=audit(1498042436.698:508): proctitle="-bash"
type=AVC msg=audit(1498042436.699:509): avc:  denied  { dac_override } for  pid=12395 comm="bash" capability=1  scontext=staff_u:staff_r:staff_t:s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1498042436.699:509): arch=c000003e syscall=2 success=no exit=-13 a0=1403ff0 a1=241 a2=180 a3=0 items=0 ppid=12391 pid=12395 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="bash" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0:c0.c1023 key=(null)
type=PROCTITLE msg=audit(1498042436.699:509): proctitle="-bash"
type=USER_END msg=audit(1498042436.700:510): pid=12391 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=CRED_DISP msg=audit(1498042436.700:511): pid=12391 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_AUTH msg=audit(1498042441.285:512): pid=12414 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_ACCT msg=audit(1498042441.286:513): pid=12414 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_CMD msg=audit(1498042441.287:514): pid=12414 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='cwd="/home/amita" cmd="-bash" terminal=pts/1 res=success'
type=CRED_REFR msg=audit(1498042441.287:515): pid=12414 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_START msg=audit(1498042441.287:516): pid=12414 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=AVC msg=audit(1498042441.300:517): avc:  denied  { read } for  pid=12418 comm="bash" name=".bash_profile" dev="vda1" ino=2548495 scontext=staff_u:staff_r:staff_t:s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1498042441.300:517): arch=c000003e syscall=2 success=no exit=-13 a0=151ea70 a1=0 a2=435680 a3=7f7183079120 items=0 ppid=12414 pid=12418 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="bash" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0:c0.c1023 key=(null)
type=PROCTITLE msg=audit(1498042441.300:517): proctitle="-bash"


-------------------------------------------------

ausearch -ts recent
time->Wed Jun 21 06:54:01 2017
type=USER_AUTH msg=audit(1498042441.285:512): pid=12414 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
----
time->Wed Jun 21 06:54:01 2017
type=USER_ACCT msg=audit(1498042441.286:513): pid=12414 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
----
time->Wed Jun 21 06:54:01 2017
type=USER_CMD msg=audit(1498042441.287:514): pid=12414 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='cwd="/home/amita" cmd="-bash" terminal=pts/1 res=success'
----
time->Wed Jun 21 06:54:01 2017
type=CRED_REFR msg=audit(1498042441.287:515): pid=12414 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
----
time->Wed Jun 21 06:54:01 2017
type=USER_START msg=audit(1498042441.287:516): pid=12414 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
----
time->Wed Jun 21 06:54:01 2017
type=PROCTITLE msg=audit(1498042441.300:517): proctitle="-bash"
type=SYSCALL msg=audit(1498042441.300:517): arch=c000003e syscall=2 success=no exit=-13 a0=151ea70 a1=0 a2=435680 a3=7f7183079120 items=0 ppid=12414 pid=12418 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="bash" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0:c0.c1023 key=(null)
type=AVC msg=audit(1498042441.300:517): avc:  denied  { read } for  pid=12418 comm="bash" name=".bash_profile" dev="vda1" ino=2548495 scontext=staff_u:staff_r:staff_t:s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file

Comment 16 Amita Sharma 2017-06-21 10:59:23 UTC
With the lastest selinux build getting below error -
[root@qeos-161 export]# rpm -qa | grep selinux
selinux-policy-3.13.1-163.el7.noarch

[root@qeos-161 export]# semanage user -a -r s0-s0:c0.c1023 -R "staff_r sysadm_r" staff_u
[root@qeos-161 export]# useradd amita
[root@qeos-161 export]# passwd amita
Changing password for user amita.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@qeos-161 export]# semanage login -a -s staff_u -rs0:c0.c1023 amita
[root@qeos-161 export]# echo "amita   ALL=(ALL)  TYPE=sysadm_t ROLE=sysadm_r   /bin/sh " > /etc/sudoers.d/amita 
[root@qeos-161 export]# semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                 SELinux Roles
staff_u         user       s0         s0-s0:c0.c1023            staff_r sysadm_r

[root@qeos-161 export]# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

amita                staff_u              s0:c0.c1023          *

[root@qeos-161 export]# restorecon -FR -v /home/amita/
restorecon reset /home/amita context unconfined_u:object_r:user_home_dir_t:s0->staff_u:object_r:user_home_dir_t:s0
restorecon reset /home/amita/.bash_logout context unconfined_u:object_r:user_home_t:s0->staff_u:object_r:user_home_t:s0
restorecon reset /home/amita/.bash_profile context unconfined_u:object_r:user_home_t:s0->staff_u:object_r:user_home_t:s0
restorecon reset /home/amita/.bashrc context unconfined_u:object_r:user_home_t:s0->staff_u:object_r:user_home_t:s0

[amsharma@dhcp201-141 upstream-tests]$ ssh amita.172.84
amita.172.84's password: 
*** 1minutetip system created by amsharma - Wed Jun 21 06:37:25 EDT 2017 ***
[amita@qeos-161 ~]$ id -Z
staff_u:staff_r:staff_t:s0:c0.c1023
[amita@qeos-161 ~]$ sudo -i

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for amita: 
-bash: /root/.bash_profile: Permission denied
-bash-4.2# 

LOGS
-----
[root@qeos-161 export]# tail -f /var/log/audit/audit.log 
type=USER_START msg=audit(1498042089.711:500): pid=12366 uid=0 auid=1000 ses=5 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=10.65.223.46 addr=10.65.223.46 terminal=/dev/pts/1 res=success'
type=CRYPTO_KEY_USER msg=audit(1498042089.720:501): pid=12366 uid=0 auid=1000 ses=5 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:7e:70:b3:82:e9:70:4a:76:f2:4e:77:a2:44:b8:d5:90:2d:ba:c5:6a:5b:c3:de:13:8e:ba:e3:f6:52:c5:2b:20 direction=? spid=12371 suid=1000  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_AUTH msg=audit(1498042106.461:502): pid=12391 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_ACCT msg=audit(1498042106.462:503): pid=12391 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_CMD msg=audit(1498042106.463:504): pid=12391 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='cwd="/home/amita" cmd="-bash" terminal=pts/1 res=success'
type=CRED_REFR msg=audit(1498042106.463:505): pid=12391 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_START msg=audit(1498042106.464:506): pid=12391 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=AVC msg=audit(1498042106.479:507): avc:  denied  { read } for  pid=12395 comm="bash" name=".bash_profile" dev="vda1" ino=2548495 scontext=staff_u:staff_r:staff_t:s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1498042106.479:507): arch=c000003e syscall=2 success=no exit=-13 a0=1405a70 a1=0 a2=435680 a3=7f2f5949f120 items=0 ppid=12391 pid=12395 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="bash" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0:c0.c1023 key=(null)
type=PROCTITLE msg=audit(1498042106.479:507): proctitle="-bash"
type=AVC msg=audit(1498042436.698:508): avc:  denied  { read } for  pid=12395 comm="bash" name=".bash_logout" dev="vda1" ino=2548494 scontext=staff_u:staff_r:staff_t:s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1498042436.698:508): arch=c000003e syscall=2 success=no exit=-13 a0=140e5a0 a1=0 a2=435680 a3=2 items=0 ppid=12391 pid=12395 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="bash" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0:c0.c1023 key=(null)
type=PROCTITLE msg=audit(1498042436.698:508): proctitle="-bash"
type=AVC msg=audit(1498042436.699:509): avc:  denied  { dac_override } for  pid=12395 comm="bash" capability=1  scontext=staff_u:staff_r:staff_t:s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0:c0.c1023 tclass=capability
type=SYSCALL msg=audit(1498042436.699:509): arch=c000003e syscall=2 success=no exit=-13 a0=1403ff0 a1=241 a2=180 a3=0 items=0 ppid=12391 pid=12395 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="bash" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0:c0.c1023 key=(null)
type=PROCTITLE msg=audit(1498042436.699:509): proctitle="-bash"
type=USER_END msg=audit(1498042436.700:510): pid=12391 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=CRED_DISP msg=audit(1498042436.700:511): pid=12391 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_AUTH msg=audit(1498042441.285:512): pid=12414 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_ACCT msg=audit(1498042441.286:513): pid=12414 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_CMD msg=audit(1498042441.287:514): pid=12414 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='cwd="/home/amita" cmd="-bash" terminal=pts/1 res=success'
type=CRED_REFR msg=audit(1498042441.287:515): pid=12414 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=USER_START msg=audit(1498042441.287:516): pid=12414 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
type=AVC msg=audit(1498042441.300:517): avc:  denied  { read } for  pid=12418 comm="bash" name=".bash_profile" dev="vda1" ino=2548495 scontext=staff_u:staff_r:staff_t:s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
type=SYSCALL msg=audit(1498042441.300:517): arch=c000003e syscall=2 success=no exit=-13 a0=151ea70 a1=0 a2=435680 a3=7f7183079120 items=0 ppid=12414 pid=12418 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="bash" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0:c0.c1023 key=(null)
type=PROCTITLE msg=audit(1498042441.300:517): proctitle="-bash"


-------------------------------------------------

ausearch -ts recent
time->Wed Jun 21 06:54:01 2017
type=USER_AUTH msg=audit(1498042441.285:512): pid=12414 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
----
time->Wed Jun 21 06:54:01 2017
type=USER_ACCT msg=audit(1498042441.286:513): pid=12414 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="amita" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
----
time->Wed Jun 21 06:54:01 2017
type=USER_CMD msg=audit(1498042441.287:514): pid=12414 uid=1000 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='cwd="/home/amita" cmd="-bash" terminal=pts/1 res=success'
----
time->Wed Jun 21 06:54:01 2017
type=CRED_REFR msg=audit(1498042441.287:515): pid=12414 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
----
time->Wed Jun 21 06:54:01 2017
type=USER_START msg=audit(1498042441.287:516): pid=12414 uid=0 auid=1000 ses=5 subj=staff_u:staff_r:staff_sudo_t:s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
----
time->Wed Jun 21 06:54:01 2017
type=PROCTITLE msg=audit(1498042441.300:517): proctitle="-bash"
type=SYSCALL msg=audit(1498042441.300:517): arch=c000003e syscall=2 success=no exit=-13 a0=151ea70 a1=0 a2=435680 a3=7f7183079120 items=0 ppid=12414 pid=12418 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=5 comm="bash" exe="/usr/bin/bash" subj=staff_u:staff_r:staff_t:s0:c0.c1023 key=(null)
type=AVC msg=audit(1498042441.300:517): avc:  denied  { read } for  pid=12418 comm="bash" name=".bash_profile" dev="vda1" ino=2548495 scontext=staff_u:staff_r:staff_t:s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=file

Comment 18 Amita Sharma 2017-06-22 08:53:09 UTC
Getting same issue as https://bugzilla.redhat.com/show_bug.cgi?id=1290633#c16 with latest build - selinux-policy.noarch 0:3.13.1-164.el7  too.

Comment 24 Amita Sharma 2017-06-27 11:48:11 UTC
[root@qeos-66 export]# rpm -qa | grep selinux
selinux-policy-3.13.1-165.el7.noarch

Installed DS with confined user amita -
========================================
The server must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user).  The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.

If you have not yet created a user and group for the server,
create this user and group using your native operating
system utilities.

System User [dirsrv]: amita
System Group [dirsrv]: amita

==============================================================================
The standard directory server network port number is 389.  However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.

Directory server network port [389]: 

==============================================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.

Directory server identifier [qeos-66]: 

==============================================================================
The suffix is the root of your directory tree.  The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.

Suffix [dc=lab, dc=eng, dc=rdu2, dc=redhat, dc=com]: 

==============================================================================
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user.  The password must
be at least 8 characters long, and contain no spaces.
Press Control-B or type the word "back", then Enter to back up and start over.

Directory Manager DN [cn=Directory Manager]: 
Password: 
Password (confirm): 
Your new DS instance 'qeos-66' was successfully created.
Exiting . . .
Log file is '/tmp/setupoZIS1H.log'

[root@qeos-66 export]# ps auxZ | grep ns-slapd 
system_u:system_r:dirsrv_t:s0   amita    23069  0.0  1.4 701712 27528 ?        Ssl  07:27   0:00 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-qeos-66 -i /var/run/dirsrv/slapd-qeos-66.pid

Hence VERIFIED.

Comment 25 errata-xmlrpc 2017-08-01 15:10:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861