Bug 1919122
Summary: | Permission denied+AVC seen when executing "sudo authconfig" as a confined user (staff_u or sysadm_u) | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Amith <apeetham> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 8.3 | CC: | lvrabec, miturria, mmalik, plautrba, ssekidde |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | 8.6 | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.14.3-86.el8 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-05-10 15:14:56 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1778780 |
Description
Renaud Métrich
2021-01-22 08:11:45 UTC
Thank you. Switching to selinux-policy. Interestingly, if the sysadm_u user can change to root via sudo -i, they *can* run the authconfig command while running a root shell: > sudo authconfig --test [sudo] password for user: sudo: unable to execute /sbin/authconfig: Permission denied > sudo -i > whoami root > id -Z sysadm_u:sysadm_r:sysadm_t:s0 > authconfig --test Running authconfig compatibility tool. [...] Why would that be the case? Will be resolved by labeling /usr/lib/python3.6/site-packages/authselect/authcompat.py but in RHEL 8 only as there is no authselect-compat in current releases. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:1995 |