Bug 2013749
| Summary: | sudo cannot execute systemctl command properly | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 8.4 | CC: | lvrabec, mmalik, ssekidde |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.6 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.3-86.el8 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-10 15:15:37 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1778780 | ||
| Deadline: | 2022-01-11 | ||
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/976 To backport:
commit 8879c209b0916931aab95d733fc7f4b52b99258b (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date: Wed Dec 22 13:06:33 2021 +0100
Allow sysadm execute sysadmctl in sysadm_t domain using sudo
When an unprivileged user in the sysadm_r role executes systemctl
through sudo, it transitions into sysadm_sudo_t domain by default.
With this commit, the process transitions back to sysadm_t.
The systemd_domtrans_systemctl() interface was added.
Resolves: rhbz#2013749
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:1995 |
Description of problem: Confined sysadm_u users trying to executing systemctl commands get a weird error: ~~~ $ sudo systemctl restart rsyslog System has not been booted with systemd as init system (PID 1). Can't operate. Failed to connect to bus: Host is down ~~~ The root cause is (again) having systemctl command execute in "sudo" context "sysadm_sudo_t" instead of "sysadm_t". The policy has the rule to allow the execution, but the Transition rule is missing: ~~~ # sesearch -A -s sysadm_sudo_t -t systemd_systemctl_exec_t -c file -p execute allow sudodomain exec_type:file { execute execute_no_trans getattr ioctl lock map open read }; # sesearch -T -s sysadm_sudo_t -t systemd_systemctl_exec_t --> nothing ~~~ Again, fixing BZ #1910077 is the proper way, but this bug doesn't get traction at all. Version-Release number of selected component (if applicable): selinux-policy-3.14.3-67.el8_4.2.noarch How reproducible: Always Steps to Reproduce: 1. sudo from sysadm_t user $ sudo systemctl restart rsyslog System has not been booted with systemd as init system (PID 1). Can't operate. Failed to connect to bus: Host is down 2. Check the AVCs # ausearch -m avc -ts boot ---- time->Wed Oct 13 16:14:00 2021 type=PROCTITLE msg=audit(1634134440.358:175): proctitle=73797374656D63746C007265737461727400727379736C6F67 type=SYSCALL msg=audit(1634134440.358:175): arch=c000003e syscall=262 success=no exit=-13 a0=ffffff9c a1=7fe283389b21 a2=7ffcadad02a0 a3=0 items=0 ppid=1836 pid=1838 auid=1002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="systemctl" exe="/usr/bin/systemctl" subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1634134440.358:175): avc: denied { search } for pid=1838 comm="systemctl" name="1" dev="proc" ino=11685 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0 ---- Additional info: The AVC is due to running in inappropriate context "sysadm_sudo_t".