Bug 1773474

Summary:	SELinux prevents confined users from running tuned-adm list
Product:	Red Hat Enterprise Linux 8	Reporter:	Milos Malik <mmalik>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED WONTFIX	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	8.2	CC:	lvrabec, mmalik, plautrba, ssekidde, zpytela
Target Milestone:	rc	Keywords:	Triaged
Target Release:	8.2	Flags:	pm-rhel: mirror+
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-05-07 17:39:57 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1778780

Description Milos Malik 2019-11-18 08:44:13 UTC

Description of problem:
$ tuned-adm list
2019-11-18 03:37:20,533 ERROR    dbus.proxies: Introspect error on :1.109:/Tuned: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules;
...
DBus call to Tuned daemon failed
$

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-26.el8.noarch
selinux-policy-targeted-3.14.3-26.el8.noarch
tuned-2.12.0-3.el8.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a RHEL-8.1 machine (targeted policy is active)
2. start the tuned service
3. log in as a confined user (user_u, staff_u, guest_u, xguest_u, sysadm_u)
4. run: tuned-adm list
5. search for SELinux denials

Actual results:
----
type=USER_AVC msg=audit(11/18/2019 03:24:12.665:511) : pid=596 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=com.redhat.tuned.control member=profiles dest=:1.13 spid=6120 tpid=656 scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:tuned_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=PROCTITLE msg=audit(11/18/2019 03:24:12.674:512) : proctitle=/usr/libexec/platform-python -Es /usr/sbin/tuned-adm list 
type=SYSCALL msg=audit(11/18/2019 03:24:12.674:512) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7ff725793c90 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=5971 pid=6120 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=pts1 ses=13 comm=tuned-adm exe=/usr/libexec/platform-python3.6 subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(11/18/2019 03:24:12.674:512) : avc:  denied  { read } for  pid=6120 comm=tuned-adm name=tuned.pid dev="tmpfs" ino=23890 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:tuned_var_run_t:s0 tclass=file permissive=0 
----
type=USER_AVC msg=audit(11/18/2019 03:28:23.428:594) : pid=596 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=com.redhat.tuned.control member=profiles dest=:1.13 spid=6223 tpid=656 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tuned_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=PROCTITLE msg=audit(11/18/2019 03:28:23.431:595) : proctitle=/usr/libexec/platform-python -Es /usr/sbin/tuned-adm list 
type=SYSCALL msg=audit(11/18/2019 03:28:23.431:595) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7fc6fd7e2c20 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=0 ppid=6198 pid=6223 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=pts1 ses=17 comm=tuned-adm exe=/usr/libexec/platform-python3.6 subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/18/2019 03:28:23.431:595) : avc:  denied  { read } for  pid=6223 comm=tuned-adm name=tuned.pid dev="tmpfs" ino=23890 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tuned_var_run_t:s0 tclass=file permissive=0 
----
type=USER_AVC msg=audit(11/18/2019 03:41:06.200:649) : pid=596 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Introspectable member=Introspect dest=:1.109 spid=6934 tpid=6751 scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tuned_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(11/18/2019 03:41:06.203:650) : pid=596 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=com.redhat.tuned.control member=profiles2 dest=:1.109 spid=6934 tpid=6751 scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tuned_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(11/18/2019 03:41:06.203:651) : pid=596 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=com.redhat.tuned.control member=profiles dest=:1.109 spid=6934 tpid=6751 scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tuned_t:s0 tclass=dbus permissive=0  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----

Expected results:
 * no SELinux denials
 * "tuned-adm list" works as expected

Comment 4 Zdenek Pytela 2021-05-07 17:39:57 UTC

This bug has not been acknowledged by the subsystem to be resolved during in RHEL 8, hence closing.
If you believe the decision needs to be reconsidered, please adjust severity accordingly and bring out justification.