Bug 1767721

Summary: Confined users cannot query systemd journal when logged on console
Product: [Fedora] Fedora Reporter: Zdenek Pytela <zpytela>
Component: selinux-policyAssignee: Patrik Koncity <pkoncity>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 32CC: amessina, dwalsh, lvrabec, mgrepl, pkoncity, plautrba, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.5-44.fc32 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-05 17:32:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1767779    

Description Zdenek Pytela 2019-11-01 08:16:23 UTC 
Description of problem:
Confined users cannot query systemd journal when logged on console

Version-Release number of selected component (if applicable):
selinux-policy-3.14.5-11.fc32.noarch

How reproducible:
always

Steps to Reproduce:
1. A confined user user_u, staff_u, or sysadm_t logs in on a console
2. run journalctl

Actual results:
$ journalctl -l --user
<no output in enforcing mode>
AVC's audited in permissive:
----
type=PROCTITLE msg=audit(11/01/19 09:11:06.778:2636) : proctitle=journalctl -l --user 
type=PATH msg=audit(11/01/19 09:11:06.778:2636) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=273424 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(11/01/19 09:11:06.778:2636) : item=0 name=/usr/bin/journalctl inode=275732 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:journalctl_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/01/19 09:11:06.778:2636) : cwd=/home/sysadm 
type=EXECVE msg=audit(11/01/19 09:11:06.778:2636) : argc=3 a0=journalctl a1=-l a2=--user 
type=SYSCALL msg=audit(11/01/19 09:11:06.778:2636) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55e0e5d55070 a1=0x55e0e5d515f0 a2=0x55e0e5d59850 a3=0x8 items=2 ppid=35872 pid=35913 auid=sysadm uid=sysadm gid=sysadm euid=sysadm suid=sysadm fsuid=sysadm egid=sysadm sgid=sysadm fsgid=sysadm tty=tty5 ses=210 comm=journalctl exe=/usr/bin/journalctl subj=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/01/19 09:11:06.778:2636) : avc:  denied  { read write } for  pid=35913 comm=journalctl path=/dev/tty5 dev="devtmpfs" ino=1047 scontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:user_tty_device_t:s0 tclass=chr_file permissive=1 
----
type=PROCTITLE msg=audit(11/01/19 09:11:06.812:2637) : proctitle=journalctl -l --user 
type=SYSCALL msg=audit(11/01/19 09:11:06.812:2637) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x1 a1=TCGETS a2=0x7fffe232dc30 a3=0x0 items=0 ppid=35872 pid=35913 auid=sysadm uid=sysadm gid=sysadm euid=sysadm suid=sysadm fsuid=sysadm egid=sysadm sgid=sysadm fsgid=sysadm tty=tty5 ses=210 comm=journalctl exe=/usr/bin/journalctl subj=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/01/19 09:11:06.812:2637) : avc:  denied  { ioctl } for  pid=35913 comm=journalctl path=/dev/tty5 dev="devtmpfs" ino=1047 ioctlcmd=TCGETS scontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:user_tty_device_t:s0 tclass=chr_file permissive=1 
Fri Nov  1 09:11:16 CET 2019

Expected results:
list of journal entries

Additional info:
These permissions are allowed:
allow journalctl_t user_devpts_t:chr_file { append getattr ioctl lock read write };
Comment 1 Ben Cotton 2020-02-11 17:49:43 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle.
Changing version to 32.
Comment 2 Patrik Koncity 2020-09-02 11:49:14 UTC 
PR: https://github.com/fedora-selinux/selinux-policy-contrib/pull/330
Comment 3 Lukas Vrabec 2020-09-02 12:53:43 UTC 
commit 16a9b53217387a5efc16b45cb25a610f4f72d957 (HEAD -> f32, origin/f32)
Author: Patrik Koncity <pkoncity>
Date:   Wed Sep 2 13:33:45 2020 +0200

    Allow journalctl to read and write to inherited user domain tty
    
    Add macro userdom_use_inherited_user_tty() to journalctl policy, which
    allow to read and write to inherited user domain tty.
    
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1767721
Comment 4 Fedora Update System 2020-10-02 07:03:41 UTC 
FEDORA-2020-9896f80cf0 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-9896f80cf0
Comment 5 Fedora Update System 2020-10-03 02:09:01 UTC 
FEDORA-2020-9896f80cf0 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-9896f80cf0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-9896f80cf0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2020-10-05 17:32:33 UTC 
FEDORA-2020-9896f80cf0 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.