Bug 1956302

Summary: Confined sysadm users cannot read the content of /etc/shadow, even when using getent
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.3CC: lvrabec, mmalik, plautrba, ssekidde
Target Milestone: rcKeywords: Triaged
Target Release: 8.5   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-77.el8 Doc Type: Bug Fix
Doc Text:
Cause: A confined sysadm user was unable to access /etc/shadow Consequence: The user was denied to read and manage users passwords Fix: A rule was added to the policy to allow confined sysadm user manage /etc/shadow Result: The user is now able to read and manage users passwords
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 19:43:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1778780    

Description Renaud Métrich 2021-05-03 12:44:07 UTC 
Description of problem:

With the current policy, sysadm_t users cannot read the content of /etc/shadow after sudoing: nothing is returned and no AVC pops up (because there is a dontaudit rule):

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
$ id -Z
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023

$ sudo getent shadow
--> empty
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Note that using **sudo -r sysadm_r** doesn't help either here (which is the usual workaround for BZ #1943572):

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
$ sudo -r sysadm_r getent shadow
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This is because **sysadm_t** (the context of getent since it's labeled with bin_t) has no rule for that in the policy (there is only a dontaudit rule to hide the AVC):

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# sesearch --dontaudit -s sysadm_t -t shadow_t -c file -p read
dontaudit sysadm_t shadow_t:file { getattr ioctl lock open read };

# sesearch --allow -s sysadm_t -t shadow_t -c file -p read
--> nothing
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Does that make sense to allow sysadm_t to do this???
YES because sysadm_t can already **edit** the file using **/usr/sbin/vipw** (so can actually do more ...).


Version-Release number of selected component (if applicable):

RHEL7 and RHEL8 policies


How reproducible:

Always, see above.

Additional info:

My recommendation is to add the following rule:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
auth_read_shadow(sysadm_t)
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Note that because of BZ #1943572, this won't solve the issue for **sudo getent shadow**, only for **sudo -r sysadm_r getent shadow**.
I would hence recommend that RFE BZ #1910077 gets implemented ASAP.
Comment 9 errata-xmlrpc 2021-11-09 19:43:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420