Bug 2039658

Summary: Confined sysadm users cannot execute "service xxx status" command
Product: Red Hat Enterprise Linux 7 Reporter: Renaud Métrich <rmetrich>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: low    
Version: 7.9CC: lvrabec, mmalik, ssekidde, vmojzis
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-08 15:54:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2022-01-12 07:47:10 UTC 
Description of problem:

Confined users mapped to sysadm_u SELinux user cannot execute "service xxx status" or "service xxx restart" commands, as shown in the examples below:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[sysadm@vm-confined79 ~]$ service network status
env: /etc/init.d/network: Permission denied
[sysadm@vm-confined79 ~]$ service rhnsd status
env: /etc/init.d/rhnsd: Permission denied
[sysadm@vm-confined79 ~]$ service rhnsd restart
env: /etc/init.d/rhnsd: Permission denied
[sysadm@vm-confined79 ~]$ service network restart
env: /etc/init.d/network: Permission denied
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The root cause is missing rules to allow the transition to initrc_t to happen when "service" internally executes /etc/rc.d/init.d/xxx script.


Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-268.el7_9.2.noarch


How reproducible:

Always

Steps to Reproduce:
1. Map a user to sysadm_u
2. Try executing "service xxx status" commands (see description above)

Actual results:

AVC:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=AVC msg=audit(1641968146.839:743): avc:  denied  { entrypoint } for  pid=5391 comm="env" path="/etc/rc.d/init.d/network" dev="dm-0" ino=17429529 scontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file permissive=0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


Expected results:

No AVC and proper execution


Additional info:

Note that "service xxx status" can be different than "systemctl status xxx" for SysV initscripts: it's SysV initscript implementation dependent, e.g. "service network status" output is different than "systemctl status network".
Hence using "systemctl status xxx" cannot be considered as a workaround.

The solution seems to allow the transition through adding the below rule:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
init_all_labeled_script_domtrans(sysadm_t)
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Please CONFIRM this is safe and the proper way to allow execution.
Comment 3 Zdenek Pytela 2022-07-08 15:54:37 UTC 
Red Hat Enterprise Linux 7 shipped its final minor release on September 29th, 2020. RHEL 7.9 was the last scheduled minor release.
During Maintenance Support 2 Phase for Red Hat Enterprise Linux version 7, Red Hat defined Critical and Important impact Security Advisories (RHSAs) and selected (at Red Hat discretion) Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.
https://access.redhat.com/support/policy/updates/errata#Maintenance_Support_2_Phase

This BZ is being closed WONTFIX. Please re-open this request if it is critical for the customer and provide a thorough business justification.

As a workaround, the local policy module from comment#0 can be used.

Using this interface:
sysadm_t type will be allowed a transition to initrc_t on execution of any init_script_file_type script
if neither mls nor nnp/nosuid support is required.