Bug 1972820

Summary: Defaults use_pty plus SELinux ROLE in user specification breaks terminal
Product: Red Hat Enterprise Linux 7 Reporter: Steven Pritchard <steve>
Component: sudoAssignee: Radovan Sroka <rsroka>
Status: CLOSED ERRATA QA Contact: Dalibor Pospíšil <dapospis>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.9CC: dapospis, jreznik, lvrabec, mello, peli, rmetrich, rmullett, tscherf, yoliynyk, zpytela
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sudo-1.8.23-10.el7_9.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-12 15:31:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steven Pritchard 2021-06-16 16:50:55 UTC 
Description of problem:
The combination of

  Defaults use_pty

and ROLE= in a user specification like this:

  vagrant        ALL=(ALL)       ROLE=unconfined_r NOPASSWD: ALL

causes this behavior:

  [vagrant@rhel7 ~]$ sudo -i
  -bash: cannot set terminal process group (-1): Inappropriate ioctl for device
                                                                               -bash: no job control in this shell
                                  [root@rhel7 ~]# 

Note that this happens even if there is no role transition.  In the example above, the vagrant user is already unconfined.

Version-Release number of selected component (if applicable):
sudo-1.8.23-10.el7_9.1.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Add "Defaults use_pty" to /etc/sudoers (as required by CIS RHEL 7 Benchmark v3.0.1 rule 1.3.2)
2. Add "ROLE=unconfined_r" to a user specification
3. Run any allowed command with sudo as that user

Actual results:
[vagrant@rhel7 ~]$ sudo -i
-bash: cannot set terminal process group (-1): Inappropriate ioctl for device
                                                                             -bash: no job control in this shell
                                [root@rhel7 ~]# 


Expected results:
[vagrant@rhel7 ~]$ sudo -i
[root@rhel7 ~]# 

Additional info:
This bug was fixed upstream in https://github.com/sudo-project/sudo/commit/112dff276aaf1f88b4931e290b5b62645f837815.
Comment 28 errata-xmlrpc 2021-10-12 15:31:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sudo bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:3806