Bug 1767745

Summary: Confined users trigger AVC denial when screen accesses wtmp
Product: [Fedora] Fedora Reporter: Zdenek Pytela <zpytela>
Component: selinux-policyAssignee: Patrik Koncity <pkoncity>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 34CC: amessina, dwalsh, lvrabec, mgrepl, pkoncity, plautrba, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-34.4-1.fc34 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-04 01:00:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1767779    

Description Zdenek Pytela 2019-11-01 10:10:11 UTC 
Description of problem:
Confined users trigger AVC denial when screen is run and tries to access wtmp

Version-Release number of selected component (if applicable):
selinux-policy-3.14.5-11.fc32.noarch

How reproducible:
always

Steps to Reproduce:
1. log in as a confined user user_u, staff_u, sysadm_t
2. execute screen or tmux

Actual results:
Screen/tmux is working, but wtmp is not updated
AVC's are logged

Expected results:
wtmp updated, no AVC's.

Additional info:
Comment 1 Zdenek Pytela 2019-11-01 10:12:20 UTC 
List of denials gathered in permissive mode:
----
type=PROCTITLE msg=audit(1.11.2019 11:08:23.636:248) : proctitle=/usr/libexec/utempter/utempter add :tty5:S.0 
type=PATH msg=audit(1.11.2019 11:08:23.636:248) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=273424 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(1.11.2019 11:08:23.636:248) : item=0 name=/usr/libexec/utempter/utempter inode=275058 dev=fd:00 mode=file,sgid,711 ouid=root ogid=utmp rdev=00:00 obj=system_u:object_r:utempter_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(1.11.2019 11:08:23.636:248) : cwd=/home/user 
type=EXECVE msg=audit(1.11.2019 11:08:23.636:248) : argc=3 a0=/usr/libexec/utempter/utempter a1=add a2=:tty5:S.0 
type=SYSCALL msg=audit(1.11.2019 11:08:23.636:248) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7fef73c6d000 a1=0x7ffe016d63f0 a2=0x7ffe016d7f38 a3=0x7fef739f4b80 items=2 ppid=1538 pid=1540 auid=user uid=user gid=user euid=user suid=user fsuid=user egid=utmp sgid=utmp fsgid=utmp tty=(none) ses=6 comm=utempter exe=/usr/libexec/utempter/utempter subj=user_u:user_r:user_screen_t:s0 key=(null) 
type=AVC msg=audit(1.11.2019 11:08:23.636:248) : avc:  denied  { map } for  pid=1540 comm=utempter path=/usr/libexec/utempter/utempter dev="dm-0" ino=275058 scontext=user_u:user_r:user_screen_t:s0 tcontext=system_u:object_r:utempter_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(1.11.2019 11:08:23.636:248) : avc:  denied  { read open } for  pid=1540 comm=screen path=/usr/libexec/utempter/utempter dev="dm-0" ino=275058 scontext=user_u:user_r:user_screen_t:s0 tcontext=system_u:object_r:utempter_exec_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(1.11.2019 11:08:23.647:249) : proctitle=/usr/libexec/utempter/utempter add :tty5:S.0 
type=PATH msg=audit(1.11.2019 11:08:23.647:249) : item=0 name=/var/log/wtmp inode=130135 dev=fd:00 mode=file,664 ouid=root ogid=utmp rdev=00:00 obj=system_u:object_r:wtmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(1.11.2019 11:08:23.647:249) : cwd=/home/user 
type=SYSCALL msg=audit(1.11.2019 11:08:23.647:249) : arch=x86_64 syscall=openat success=yes exit=7 a0=0xffffff9c a1=0x5615ecd42012 a2=O_WRONLY a3=0x0 items=1 ppid=1538 pid=1540 auid=user uid=user gid=user euid=user suid=user fsuid=user egid=utmp sgid=utmp fsgid=utmp tty=(none) ses=6 comm=utempter exe=/usr/libexec/utempter/utempter subj=user_u:user_r:user_screen_t:s0 key=(null) 
type=AVC msg=audit(1.11.2019 11:08:23.647:249) : avc:  denied  { open } for  pid=1540 comm=utempter path=/var/log/wtmp dev="dm-0" ino=130135 scontext=user_u:user_r:user_screen_t:s0 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1 
type=AVC msg=audit(1.11.2019 11:08:23.647:249) : avc:  denied  { write } for  pid=1540 comm=utempter name=wtmp dev="dm-0" ino=130135 scontext=user_u:user_r:user_screen_t:s0 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1 

Likewise for staff_u and sysadm_u.
Comment 2 Ben Cotton 2020-02-11 17:49:50 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle.
Changing version to 32.
Comment 3 Patrik Koncity 2020-11-05 10:36:57 UTC 
https://github.com/fedora-selinux/selinux-policy-contrib/pull/359
Comment 4 Fedora Update System 2021-04-27 19:56:45 UTC 
FEDORA-2021-8d26207af7 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-8d26207af7
Comment 5 Fedora Update System 2021-04-28 01:35:18 UTC 
FEDORA-2021-8d26207af7 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-8d26207af7`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-8d26207af7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2021-05-04 01:00:44 UTC 
FEDORA-2021-8d26207af7 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.