Bug 1831630
| Summary: | SELinux prevents the sysadm_u user from running rfkill (or gsd-rfkill) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.2 | CC: | lvrabec, mmalik, plautrba, ssekidde |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.4 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 14:57:37 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1778780 | ||
I've submitted a Fedora draft PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/535 Merged in rawhide:
commit 440e7f65892d6671e8d376e3d4939f15c82e17e8 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date: Fri Jan 8 17:45:49 2021 +0100
Allow sysadm read and write /dev/rfkill
This permission is required to run rfkill which enables or disables
wireless devices.
Resolves: rhbz#1831630
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1639 |
Description of problem: * SELinux denials appear when sysadm_u user runs rfkill * SELinux denials appear when sysadm_u user logs into X session (the xdm_sysadm_login boolean is enabled) and gsd-rfkill is executed automagically Version-Release number of selected component (if applicable): gnome-settings-daemon-3.32.0-9.el8.x86_64 selinux-policy-3.14.3-43.el8.noarch selinux-policy-devel-3.14.3-43.el8.noarch selinux-policy-doc-3.14.3-43.el8.noarch selinux-policy-minimum-3.14.3-43.el8.noarch selinux-policy-mls-3.14.3-43.el8.noarch selinux-policy-sandbox-3.14.3-43.el8.noarch selinux-policy-targeted-3.14.3-43.el8.noarch util-linux-2.32.1-22.el8.x86_64 How reproducible: * always Steps to Reproduce: 1. get a RHEL-8.2 machine (targeted policy is active) 2. # useradd -Z sysadm_u sysadm-user 3. # passwd sysadm-user 4. log in as sysadm-user via ssh 5. run: "rfkill" or "rfkill list" or "rfkill event" Actual results: ---- type=PROCTITLE msg=audit(05/05/2020 11:13:52.062:1224) : proctitle=/usr/libexec/gsd-rfkill type=PATH msg=audit(05/05/2020 11:13:52.062:1224) : item=0 name=/dev/rfkill inode=70108 dev=00:06 mode=character,664 ouid=root ogid=root rdev=0a:3c obj=system_u:object_r:wireless_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(05/05/2020 11:13:52.062:1224) : cwd=/home/sysadm-user type=SYSCALL msg=audit(05/05/2020 11:13:52.062:1224) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55627865c000 a2=O_RDWR a3=0x0 items=1 ppid=70498 pid=70880 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=tty2 ses=86 comm=gsd-rfkill exe=/usr/libexec/gsd-rfkill subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(05/05/2020 11:13:52.062:1224) : avc: denied { read write } for pid=70880 comm=gsd-rfkill name=rfkill dev="devtmpfs" ino=70108 scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wireless_device_t:s0 tclass=chr_file permissive=0 ---- type=PROCTITLE msg=audit(05/05/2020 11:50:28.578:1398) : proctitle=rfkill type=PATH msg=audit(05/05/2020 11:50:28.578:1398) : item=0 name=/dev/rfkill inode=70108 dev=00:06 mode=character,664 ouid=root ogid=root rdev=0a:3c obj=system_u:object_r:wireless_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(05/05/2020 11:50:28.578:1398) : cwd=/home/sysadm-user type=SYSCALL msg=audit(05/05/2020 11:50:28.578:1398) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x56066f0aea7f a2=O_RDONLY a3=0x0 items=1 ppid=83949 pid=84491 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=tty2 ses=102 comm=rfkill exe=/usr/sbin/rfkill subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(05/05/2020 11:50:28.578:1398) : avc: denied { read } for pid=84491 comm=rfkill name=rfkill dev="devtmpfs" ino=70108 scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wireless_device_t:s0 tclass=chr_file permissive=0 ---- Expected results: * no SELinux denials Additional information: # ls -iZ /dev/rfkill 70108 system_u:object_r:wireless_device_t:s0 /dev/rfkill # matchpathcon /dev/rfkill /dev/rfkill system_u:object_r:wireless_device_t:s0 #