Bug 2030156

Summary: SELinux denials { setgid } are triggered by sss_cache
Product: Red Hat Enterprise Linux 8 Reporter: Frank Liang <xiliang>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.6CC: leonfauster, linl, lvrabec, mmalik, myusuf, ssekidde, vkuznets, ymao
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: 8.6   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-90.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-10 15:15:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Frank Liang 2021-12-08 06:10:16 UTC 
Description of problem:
Found below denied error in RHEL-8.6.0-20211206.1 testing.

----
time->Sun Dec  5 06:45:40 2021
type=PROCTITLE msg=audit(1638686740.224:517): proctitle=7373735F6361636865002D5547
type=SYSCALL msg=audit(1638686740.224:517): arch=c000003e syscall=119 success=yes exit=0 a0=ffffffffffffffff a1=0 a2=ffffffffffffffff a3=0 items=0 ppid=40377 pid=40383 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="sss_cache" exe="/usr/sbin/sss_cache" subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1638686740.224:517): avc:  denied  { setgid } for  pid=40383 comm="sss_cache" capability=6  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0

RHEL Version:
RHEL-8.6(4.18.0-353.el8.x86_64)

How reproducible:
100%

Steps to Reproduce:
1.  Found in our regular nightly compose testing.

Actual results:
Found such error some times

Expected results:
No such error

Additional info:
- there is a similar bz in fedora bz#2022690
Comment 1 Frank Liang 2021-12-08 06:20:04 UTC 
This denied log appeared in RHEL-8.6.0-20211204.3 firstly according to our test history.
Comment 2 Milos Malik 2021-12-08 08:27:11 UTC 
I saw this SELinux denial a few times. It used to appear when a package, that brings a new user or group, was being installed. Unfortunately, I'm not able to reproduce it now.
Comment 3 Zdenek Pytela 2021-12-08 10:50:04 UTC 
Frank,

Do you happen to know which test command triggers this denial? The command is sss_cache, executed by groupadd.
Comment 4 Frank Liang 2021-12-08 12:41:43 UTC 
(In reply to Zdenek Pytela from comment #3)
> Frank,
> 
> Do you happen to know which test command triggers this denial? The command
> is sss_cache, executed by groupadd.

I am still looking for which command trigger this denial. Just reserved a beaker system with RHEL-8.6.0-20211207.2 BaseOS aarch64 selected.
After installation done, there are such denials. So I guess it is not our test triggered.
Comment 5 Zdenek Pytela 2021-12-08 13:38:07 UTC 
(In reply to Frank Liang from comment #4)
> I am still looking for which command trigger this denial. Just reserved a
> beaker system with RHEL-8.6.0-20211207.2 BaseOS aarch64 selected.
> After installation done, there are such denials. So I guess it is not our
> test triggered.

Note it actually can be the installation itself (dnf -> groupadd -> sss_cache, see #c2), we just don't currently have a reliable reproducer.
Comment 7 Milos Malik 2021-12-08 15:42:37 UTC 
Please notice that the SELinux denial contains "success=yes" even though it was logged in enforcing mode.
Comment 10 Milos Malik 2021-12-08 16:06:32 UTC 
For example the installation of the cyrus-sasl package triggers both SELinux denials (useradd_t and groupadd_t) because the sss_cache can be executed by different programs.
Comment 12 Zdenek Pytela 2021-12-22 21:42:47 UTC 
I've submitted a Fedora draft PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/979

The purpose yet needs to be clarified.
Comment 16 Florence Blanc-Renaud 2022-01-13 11:40:31 UTC 
*** Bug 2040256 has been marked as a duplicate of this bug. ***
Comment 17 Zdenek Pytela 2022-01-26 08:07:42 UTC 
*** Bug 2045905 has been marked as a duplicate of this bug. ***
Comment 18 Zdenek Pytela 2022-01-26 18:31:14 UTC 
To backport:

commit d33ccb64dee2f105b69d6ff5dd0b9d448c5fdbe1 (HEAD -> rawhide, tag: v35.12, upstream/rawhide)
Author: Patrik Koncity <pkoncity>
Date:   Fri Jan 21 15:35:15 2022 +0100

    Fix badly indented used interfaces

    In policy is few badly indented used
    iterfaces in optional blocks. Correction
    of indentation of interface names.

commit bcc321f1719d252b205edf89f82f578c1c309eb0
Author: Patrik Koncity <pkoncity>
Date:   Fri Jan 21 15:27:04 2022 +0100

    Allow domain transition to sssd_t

    When installing some rpm packages, new users or
    groups are added to the system using
    the groupadd and useradd tools. Then the sss_cache
    file with the bin_t label is run and on this file
    groupadd and useradd want to setgid and this
    trigger SELinux denials. Label the sss_cache binary
    as sssd_exec_t and enabling the transition from
    groupadd_t and useradd_t to sssd_t. Sssd policy
    allowed setgid on this binary.

    Bugzilla:https://bugzilla.redhat.com/show_bug.cgi?id=2022690
Comment 19 Zdenek Pytela 2022-02-02 16:58:46 UTC 
2 more commits to backport:
25bdcfdf5 Allow domtrans to sssd_t and role access to sssd
d7ef9cf83 Creating interface sssd_run_sssd()
Comment 28 errata-xmlrpc 2022-05-10 15:15:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995