Bug 1325364

Summary: Confined administrators cannot run /bin/systemd-tmpfiles
Product: Red Hat Enterprise Linux 7 Reporter: Dustin C. Hatch <rhbz>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-190.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 12:22:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Dustin C. Hatch 2016-04-08 14:38:00 UTC
Description of problem:
SELinux-confined users cannot run /bin/systemd-tmpfiles, because no policy rule exists to allow sysadm_t to execute files labeled systemd_tmpfiles_exec_t:

[dhatch@c7-1ea498 ~]$ sudo -r sysadm_r systemd-tmpfiles --create
sesh: unable to execute /bin/systemd-tmpfiles: Permission denied

type=AVC msg=audit(1460124637.840:85): avc:  denied  { execute } for  pid=873 comm="sesh" name="systemd-tmpfiles" dev="dm-0" ino=25553816 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file

Administrators should be allowed to run this command to apply any changes they may have made to configuration in /etc/tmpfiles.d. 

Version-Release number of selected component (if applicable):
selinux-policy-mls-3.13.1-60.el7_2.3.noarch

Comment 4 Lukas Vrabec 2016-07-12 15:06:26 UTC
Fixed in Fedora, we need to back port this.

Comment 12 errata-xmlrpc 2018-04-10 12:22:45 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763