Bug 1966945

Summary: AVC "signull" seen for confined users when executing "sudo" command
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.4CC: daniel.j.arevalo.ctr, lvrabec, mmalik, plautrba, ssekidde
Target Milestone: rcKeywords: Triaged
Target Release: 8.6   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-84.el8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-10 15:14:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1778780    

Description Renaud Métrich 2021-06-02 08:16:39 UTC 
Description of problem:

When "maxlogins" is specified in /etc/security/limits.conf and a confined user (sysadm_u or staff_u) issues a "sudo" command, the following AVC is seen:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
time->Wed Jun  2 10:05:31 2021
type=PROCTITLE msg=audit(1622621131.587:692): proctitle=7375646F002D75007374616666006563686F
type=SYSCALL msg=audit(1622621131.587:692): arch=c000003e syscall=62 success=no exit=-13 a0=7b6 a1=0 a2=4 a3=7ffdd0ae746f items=0 ppid=1899 pid=2385 auid=1001 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=pts1 ses=17 comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1622621131.587:692): avc:  denied  { signull } for  pid=2385 comm="sudo" scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-67.el8.noarch but also on RHEL7

How reproducible:

Always

Steps to Reproduce:
1. Create a confined user mapped to sysadm_u or staff_u

  # useradd -Z staff_u -G wheel staff
  # echo "redhat" | passwd --stdin staff

2. Create a "maxlogins" limit file

  # echo "* hard maxlogins 10" > /etc/security/limits.d/maxlogins.conf

3. Login as the staff user

  # ssh staff@localhost
  $ id -Z
  staff_u:staff_r:staff_t:s0-s0:c0.c1023

4. Login as the staff user in another terminal and sudo

  # ssh staff@localhost "sudo -u staff echo"

Actual results:

time->Wed Jun  2 10:15:25 2021
type=PROCTITLE msg=audit(1622621725.434:1357): proctitle=7375646F002D75007374616666006563686F
type=SYSCALL msg=audit(1622621725.434:1357): arch=c000003e syscall=62 success=no exit=-13 a0=cdf a1=0 a2=4 a3=7fffed2a21ef items=0 ppid=3529 pid=3530 auid=1001 uid=0 gid=1001 euid=0 suid=0 fsuid=0 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=69 comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1622621725.434:1357): avc:  denied  { signull } for  pid=3530 comm="sudo" scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=0

Expected results:

No AVC
Comment 1 Zdenek Pytela 2021-11-18 18:33:44 UTC 
I've submitted a draft Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/947
Comment 11 errata-xmlrpc 2022-05-10 15:14:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995