Bug 1919402

Summary: missing compat of pam_tty_audit.so / selinux / systemd
Product: Red Hat Enterprise Linux 8 Reporter: Leon Fauster <leonfauster>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.3CC: lvrabec, mmalik, plautrba, ssekidde
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-22 20:05:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Leon Fauster 2021-01-22 19:22:12 UTC 
## Description of problem:

Configuring RHEL8 as described here:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing#sec-configuring_pam_tty_audit

resulted in AVC/Deny and filled log files with

time->Mon Jan 11 10:05:01 2021
type=PROCTITLE msg=audit(1610355901.401:35527): proctitle="(systemd)"
type=SYSCALL msg=audit(1610355901.401:35527): arch=c000003e syscall=46 success=yes exit=16 a0=b a1=7ffd25f88150 a2=0 a3=0 items=0 ppid=1 pid=174285 auid=48 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4200 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1610355901.401:35527): avc:  denied  { audit_control } for  pid=174285 comm="(systemd)" capability=30  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability permissive=0


##Version-Release number of selected component (if applicable):

# rpm -q pam systemd selinux-policy
pam-1.3.1-11.el8.x86_64
systemd-239-41.el8_3.1.x86_64
selinux-policy-3.14.3-54.el8.noarch


## How reproducible:

# useradd testuser
# echo -e "session     required \t\t\t\t\t pam_tty_audit.so disable=* enable=testuser"  >> /etc/pam.d/password-auth
# echo -e "session     required \t\t\t\t\t pam_tty_audit.so disable=* enable=testuser"  >> /etc/pam.d/system-auth
# reboot


## Expected results:

No AVC logs


## Additional info:

Workaround, custom module:

    module audit4systemd 1.0;
    
    require {
    	type init_t;
	class capability audit_control;
    }
    
    #============= init_t ==============
    allow init_t self:capability audit_control;
Comment 1 Zdenek Pytela 2021-01-22 20:05:51 UTC 

*** This bug has been marked as a duplicate of bug 1861771 ***