Bug 2045905

Summary: AVC for sss_cache while dnf transaction / rpm scriplet with groupadd
Product: Red Hat Enterprise Linux 8 Reporter: Leon Fauster <leonfauster>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: CentOS StreamCC: bstinson, grajaiya, jhrozek, jwboyer, lslebodn, lvrabec, mmalik, mzidek, pbrezina, sbose, ssekidde, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-01-26 08:07:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Leon Fauster 2022-01-25 22:29:26 UTC 
AVC for sss_cache while dnf transaction / rpm scriplet with groupadd


Description of problem:

# ausearch -m avc

time->Tue Jan 25 22:34:10 2022
type=PROCTITLE msg=audit(1643146450.895:2775): proctitle=7373735F6361636865002D5547
type=SYSCALL msg=audit(1643146450.895:2775): arch=c000003e syscall=119 success=yes exit=0 a0=ffffffffffffffff a1=0 a2=ffffffffffffffff a3=0 items=0 ppid=18581 pid=18584 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=24 comm="sss_cache" exe="/usr/sbin/sss_cache" subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1643146450.895:2775): avc:  denied  { setgid } for  pid=18584 comm="sss_cache" capability=6  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0




Version-Release number of selected component (if applicable):

# rpm -qf /usr/sbin/sss_cache
sssd-common-2.6.1-2.el8.x86_64



How reproducible:

Install package with groupadd scriptlet like

# rpm -q --scripts mariadb-server|head -5
preinstall scriptlet (using /bin/sh):
/usr/sbin/groupadd -g 27 -o -r mysql >/dev/null 2>&1 || :
/usr/sbin/useradd -M -N -g mysql -o -r -d /var/lib/mysql -s /sbin/nologin \
  -c "MySQL Server" -u 27 mysql >/dev/null 2>&1 || :


#   authselect current
Profile ID: sssd
Enabled features:
- without-nullok

#   authselect check
Current configuration is valid.
Comment 1 Sumit Bose 2022-01-26 06:28:19 UTC 
Hi,

this looks like a duplicate of Fedora ticket https://bugzilla.redhat.com/show_bug.cgi?id=2022690. Since this ticket is for RHEL-8 I won't close it a duplicate but will move it to the selinux-policy component.

bye,
Sumit
Comment 2 Zdenek Pytela 2022-01-26 08:07:42 UTC 
Sumit, note 3 bugzillas (Fedora, RHEL 8, RHEL 9) are linked together using internal links.

*** This bug has been marked as a duplicate of bug 2030156 ***