Bug 1685689
| Summary: | SELinux denials appear when confined users run journalctl | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.0 | CC: | lvrabec, mmalik, plautrba, ssekidde, zpytela |
| Target Milestone: | rc | Keywords: | AutoVerified |
| Target Release: | 8.1 | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-05 22:10:18 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1673107, 1682526 | ||
| Bug Blocks: | 1778780 | ||
Fixed in Fedora.
commit 9a31dd235f6f3713e65b7c03bdfde6a328f8039b (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date: Wed Mar 6 13:21:47 2019 +0100
Allow journalctl_t domain to mmap syslogd_var_run_t files
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3547 |
Description of problem: * if the domain_can_mmap_files boolean was enabled, then the SELinux denials would not have appeared, but the boolean is disabled by default Version-Release number of selected component (if applicable): selinux-policy-3.14.1-61.el8.noarch selinux-policy-devel-3.14.1-61.el8.noarch selinux-policy-targeted-3.14.1-61.el8.noarch systemd-239-13.el8.x86_64 systemd-libs-239-13.el8.x86_64 systemd-pam-239-13.el8.x86_64 systemd-udev-239-13.el8.x86_64 How reproducible: * always Steps to Reproduce: 1. get a RHEL-8.0 machine (targeted policy is active) 2. create a confined user (e.g. staff_u, sysadm_u, user_u) 3. log in as the user (via ssh or via console) 4. run journalctl --user 5. run journalctl --system 6. search for SELinux denials Actual results: ---- type=PROCTITLE msg=audit(03/05/2019 14:12:17.503:1619) : proctitle=journalctl -n 10 --system type=MMAP msg=audit(03/05/2019 14:12:17.503:1619) : fd=5 flags=MAP_SHARED type=SYSCALL msg=audit(03/05/2019 14:12:17.503:1619) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x800000 a2=PROT_READ a3=MAP_SHARED items=0 ppid=26662 pid=26663 auid=user1748 uid=user1748 gid=user1748 euid=user1748 suid=user1748 fsuid=user1748 egid=user1748 sgid=user1748 fsgid=user1748 tty=pts2 ses=47 comm=journalctl exe=/usr/bin/journalctl subj=staff_u:staff_r:journalctl_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(03/05/2019 14:12:17.503:1619) : avc: denied { map } for pid=26663 comm=journalctl path=/run/log/journal/bfd37efc55db4f44a0f350821db2b810/system.journal dev="tmpfs" ino=11263 scontext=staff_u:staff_r:journalctl_t:s0-s0:c0.c1023 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(03/05/2019 14:12:30.509:1724) : proctitle=journalctl -n 10 --system type=MMAP msg=audit(03/05/2019 14:12:30.509:1724) : fd=5 flags=MAP_SHARED type=SYSCALL msg=audit(03/05/2019 14:12:30.509:1724) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x800000 a2=PROT_READ a3=MAP_SHARED items=0 ppid=26892 pid=26893 auid=user1748 uid=user1748 gid=user1748 euid=user1748 suid=user1748 fsuid=user1748 egid=user1748 sgid=user1748 fsgid=user1748 tty=pts2 ses=51 comm=journalctl exe=/usr/bin/journalctl subj=user_u:user_r:journalctl_t:s0 key=(null) type=AVC msg=audit(03/05/2019 14:12:30.509:1724) : avc: denied { map } for pid=26893 comm=journalctl path=/run/log/journal/bfd37efc55db4f44a0f350821db2b810/system.journal dev="tmpfs" ino=11263 scontext=user_u:user_r:journalctl_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(03/05/2019 14:12:43.212:1829) : proctitle=journalctl -n 10 --system type=MMAP msg=audit(03/05/2019 14:12:43.212:1829) : fd=5 flags=MAP_SHARED type=SYSCALL msg=audit(03/05/2019 14:12:43.212:1829) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x0 a1=0x800000 a2=PROT_READ a3=MAP_SHARED items=0 ppid=27121 pid=27122 auid=user1748 uid=user1748 gid=user1748 euid=user1748 suid=user1748 fsuid=user1748 egid=user1748 sgid=user1748 fsgid=user1748 tty=pts2 ses=55 comm=journalctl exe=/usr/bin/journalctl subj=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(03/05/2019 14:12:43.212:1829) : avc: denied { map } for pid=27122 comm=journalctl path=/run/log/journal/bfd37efc55db4f44a0f350821db2b810/system.journal dev="tmpfs" ino=11263 scontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file permissive=0 ---- Expected results: * no SELinux denials