Bug 2039662

Summary: Confined sysadm users cannot execute "service xxx status" command
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED MIGRATED QA Contact: Amith <apeetham>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.5CC: lvrabec, mmalik
Target Milestone: rcKeywords: MigratedToJIRA, Triaged
Target Release: 8.9   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-116.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-09-01 13:00:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1778780    

Description Renaud Métrich 2022-01-12 08:01:01 UTC 
This bug was initially created as a copy of Bug #2039658

I am copying this bug because: 

Also applies to RHEL8

Description of problem:

Confined users mapped to sysadm_u SELinux user cannot execute "service xxx status" or "service xxx restart" commands, as shown in the examples below:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[sysadm@vm-confined8 ~]$ service foo status
env: /etc/init.d/foo: Permission denied
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The root cause is missing rules to allow the transition to initrc_t to happen when "service" internally executes /etc/rc.d/init.d/xxx script.
Note: on RHEL7 (BZ #2039658) adding a rule was sufficient to make this work (see the "Additional info" in the BZ), but it doesn't seem the case on RHEL8. 


Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-80.el8_5.2.noarch


How reproducible:

Always

Steps to Reproduce:
1. Map a user to sysadm_u

2. Create a SysV initscript /etc/rc.d/init.d/foo

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
#!/bin/sh
#
# foo: FOO SysV initscript
#
# chkconfig: 345 97 03

case "$1" in
start)
	echo "START called"
	;;
stop)
	echo "STOP called"
	;;
restart)
	echo "RESTART called"
	;;
status)
	echo "STATUS called"
	;;
reload)
	echo "RELOAD called"
	;;
*)
	exit 2
esac
exit 0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

3. Make it executable and a proper SysV initscript

# chmod +x /etc/rc.d/init.d/foo
# restorecon -Fv /etc/rc.d/init.d/foo

4. Try executing "service foo status" command

Actual results:

No AVC, but Permission denied
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
env: ‘/etc/init.d/foo’: Permission denied
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


Expected results:

Proper execution


Additional info:

SysV initscripts are still supposed to work fine on RHEL8, per /etc/rc.d/init.d/README note.

Note that "service xxx status" can be different than "systemctl status xxx" for SysV initscripts: it's SysV initscript implementation dependent, e.g. "service network status" output is different than "systemctl status network".
Hence using "systemctl status xxx" cannot be considered as a workaround.
Comment 1 Milos Malik 2022-01-20 12:45:56 UTC 
Following SELinux denial appeared in enforcing mode:
----
type=PROCTITLE msg=audit(01/20/2022 07:43:25.363:384) : proctitle=env -i PATH=/sbin:/usr/sbin:/bin:/usr/bin TERM=xterm-256color SYSTEMCTL_IGNORE_DEPENDENCIES= SYSTEMCTL_SKIP_REDIRECT= /etc/init. 
type=PATH msg=audit(01/20/2022 07:43:25.363:384) : item=0 name=/etc/init.d/foo inode=2346349 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:initrc_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/20/2022 07:43:25.363:384) : cwd=/ 
type=SYSCALL msg=audit(01/20/2022 07:43:25.363:384) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x7ffd7cce359b a1=0x7ffd7cce1a28 a2=0x56368373db60 a3=0x0 items=1 ppid=5461 pid=5468 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=pts1 ses=8 comm=env exe=/usr/bin/env subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) 
type=SELINUX_ERR msg=audit(01/20/2022 07:43:25.363:384) : op=security_compute_sid invalid_context=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=process 
----

Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(01/20/2022 07:44:15.913:387) : proctitle=/bin/sh /etc/init.d/foo status 
type=PATH msg=audit(01/20/2022 07:44:15.913:387) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=10111 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(01/20/2022 07:44:15.913:387) : item=1 name=/bin/sh inode=6292896 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(01/20/2022 07:44:15.913:387) : item=0 name=/etc/init.d/foo inode=2346349 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:initrc_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/20/2022 07:44:15.913:387) : cwd=/ 
type=EXECVE msg=audit(01/20/2022 07:44:15.913:387) : argc=3 a0=/bin/sh a1=/etc/init.d/foo a2=status 
type=SYSCALL msg=audit(01/20/2022 07:44:15.913:387) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7ffc115c659b a1=0x7ffc115c5dd8 a2=0x5653a985eb60 a3=0x0 items=3 ppid=5475 pid=5482 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=pts1 ses=8 comm=foo exe=/usr/bin/bash subj=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/20/2022 07:44:15.913:387) : avc:  denied  { entrypoint } for  pid=5482 comm=env path=/etc/rc.d/init.d/foo dev="vda1" ino=2346349 scontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file permissive=1 
type=SELINUX_ERR msg=audit(01/20/2022 07:44:15.913:387) : op=security_compute_sid invalid_context=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=process 
----
type=PROCTITLE msg=audit(01/20/2022 07:44:15.916:388) : proctitle=/bin/sh /etc/init.d/foo status 
type=SYSCALL msg=audit(01/20/2022 07:44:15.916:388) : arch=x86_64 syscall=socket success=yes exit=3 a0=local a1=SOCK_STREAM a2=ip a3=0x6 items=0 ppid=5475 pid=5482 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=pts1 ses=8 comm=foo exe=/usr/bin/bash subj=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 key=(null) 
type=SELINUX_ERR msg=audit(01/20/2022 07:44:15.916:388) : op=security_compute_sid invalid_context=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 scontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tcontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tclass=unix_stream_socket 
type=SELINUX_ERR msg=audit(01/20/2022 07:44:15.916:388) : op=security_compute_sid invalid_context=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 scontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tcontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tclass=unix_stream_socket 
----
type=PROCTITLE msg=audit(01/20/2022 07:44:15.917:389) : proctitle=/bin/sh /etc/init.d/foo status 
type=SYSCALL msg=audit(01/20/2022 07:44:15.917:389) : arch=x86_64 syscall=socket success=yes exit=3 a0=local a1=SOCK_STREAM a2=ip a3=0x6 items=0 ppid=5475 pid=5482 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=pts1 ses=8 comm=foo exe=/usr/bin/bash subj=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 key=(null) 
type=SELINUX_ERR msg=audit(01/20/2022 07:44:15.917:389) : op=security_compute_sid invalid_context=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 scontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tcontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tclass=unix_stream_socket 
type=SELINUX_ERR msg=audit(01/20/2022 07:44:15.917:389) : op=security_compute_sid invalid_context=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 scontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tcontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tclass=unix_stream_socket 
----

# rpm -qa selinux\* initscripts\* | sort
initscripts-10.00.15-1.el8.x86_64
selinux-policy-3.14.3-86.el8.noarch
selinux-policy-targeted-3.14.3-86.el8.noarch
#
Comment 2 Zdenek Pytela 2022-02-16 18:59:47 UTC 
No substantial progress has been made in resolving this bz in time for RHEL 8.6, so it will be evaluated for inclusion into the next minor product update.
If you still want to pursue this issue further, please attach information regarding severity of the bugzilla.
Comment 3 Zdenek Pytela 2022-05-04 06:44:20 UTC 
Commit to backport:
commit 5c0cd593245fb0c20f73213406abd1d0352f8c0a (HEAD -> rawhide, upstream/rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date:   Tue May 3 20:12:22 2022 +0200

    Allow sysadm user execute init scripts with a transition
Comment 23 RHEL Program Management 2023-09-01 12:58:10 UTC 
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.
Comment 24 RHEL Program Management 2023-09-01 13:00:39 UTC 
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues.

Users watching this BZ may not be automatically added to the Jira ticket.  Be sure to add yourself to the Watchers field in the Jira issue if you desire to continue following this issue.