Bug 1691351

Summary: Cannot execute "sudo su" when user is confined to staff_u or sysadm_u
Product: Red Hat Enterprise Linux 8 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0CC: lvrabec, mmalik, plautrba, rmetrich, ssekidde, zpytela
Target Milestone: rc   
Target Release: 8.1   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1688887 Environment:
Last Closed: 2019-11-05 22:11:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1673107    
Bug Blocks: 1778780    

Description Milos Malik 2019-03-21 13:12:08 UTC 
+++ This bug was initially created as a clone of Bug #1688887 +++

Description of problem:

When user is confined to "staff_u" or "sysadm_u", executing "sudo su" fails in error:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
$ sudo su
su: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed.
Aborted
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


Version-Release number of selected component (if applicable):

selinux-policy-3.14.1-61.el8.noarch
selinux-policy-devel-3.14.1-61.el8.noarch
selinux-policy-targeted-3.14.1-61.el8.noarch
sudo-1.8.25p1-4.el8.x86_64

How reproducible:

Always


Steps to Reproduce:

1. Update system to latest 8.0

  # yum -y update

2. Create confined administrators with sudo capabilities

  # useradd -Z staff_u -G wheel staff
  # echo "staff" | passwd --stdin staff

  # useradd -Z sysadm_u -G wheel sysadm
  # echo "sysadm" | passwd --stdin sysadm
  # semanage boolean -m --on ssh_sysadm_login

3. Log as "staff" and try to "sudo su". Do the same with "sysadm"

  # ssh staff@localhost
  $ id -Z
  staff_u:staff_r:staff_t:s0-s0:c0.c1023
  $ sudo su
  su: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed.
  Aborted
  $ exit

  # ssh sysadm@localhost
  $ id -Z
  sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
  $ sudo su
  su: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed.
  Aborted
  $


Additional info:

The following module fixes the issue:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
module staff_sysadm_sudo_su 1.0;

require {
	type security_t;
	type staff_sudo_t;
	type sysadm_sudo_t;
	type lastlog_t;
	class passwd passwd;
	class netlink_selinux_socket { bind create };
	class file { open read write };
	class security compute_av;
}

allow staff_sudo_t lastlog_t:file { open read write };
allow staff_sudo_t security_t:security compute_av;
allow sysadm_sudo_t lastlog_t:file { open read write };
allow sysadm_sudo_t security_t:security compute_av;

allow staff_sudo_t self:netlink_selinux_socket { bind create };
allow staff_sudo_t self:passwd passwd;
allow sysadm_sudo_t self:netlink_selinux_socket { bind create };
allow sysadm_sudo_t self:passwd passwd;
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Comment 1 Milos Malik 2019-03-21 13:59:03 UTC 
When I run the reproducer in permissive mode, it generates a lot of SELinux denials. When these denials are processed by audit2allow, the output is:

#============= staff_sudo_t ==============
allow staff_sudo_t lastlog_t:file { open read write };
allow staff_sudo_t security_t:security compute_av;
allow staff_sudo_t self:netlink_selinux_socket { bind create };
allow staff_sudo_t self:passwd rootok;

#============= sysadm_sudo_t ==============
allow sysadm_sudo_t lastlog_t:file { open read write };
allow sysadm_sudo_t security_t:security compute_av;
allow sysadm_sudo_t self:netlink_selinux_socket { bind create };
allow sysadm_sudo_t self:passwd rootok;

I have never seen an AVC with 'rootok' permission.
Comment 13 errata-xmlrpc 2019-11-05 22:11:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3547