Bug 2049018
| Summary: | sysadm_passwd_t requires to execute sss_cache | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Zdenek Pytela <zpytela> | |
| Component: | selinux-policy | Assignee: | Patrik Koncity <pkoncity> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 36 | CC: | dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, pkoncity, vmojzis, zpytela | |
| Target Milestone: | --- | Keywords: | Triaged | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2053457 2053458 (view as bug list) | Environment: | ||
| Last Closed: | 2022-02-14 11:23:04 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1767779, 2053457, 2053458 | |||
|
Description
Zdenek Pytela
2022-02-01 10:44:22 UTC
After using
$ sudo -r sysadm_r vipw
or
$ sudo -r sysadm_r vipw -s
for sysadm user see only this AVC's.
time->Thu Feb 3 09:34:06 2022
type=AVC msg=audit(1643898846.007:779): avc: denied { read } for pid=2466 comm="vim" name=".viminfo" dev="vda1" ino=6741 scontext=sysadm_u:sysadm_r:sysadm_passwd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Thu Feb 3 09:34:06 2022
type=AVC msg=audit(1643898846.010:780): avc: denied { read } for pid=2466 comm="vim" name=".viminfo" dev="vda1" ino=6741 scontext=sysadm_u:sysadm_r:sysadm_passwd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Thu Feb 3 09:34:07 2022
type=AVC msg=audit(1643898847.857:781): avc: denied { read } for pid=2466 comm="vim" name=".viminfo" dev="vda1" ino=6741 scontext=sysadm_u:sysadm_r:sysadm_passwd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Thu Feb 3 09:34:12 2022
type=AVC msg=audit(1643898852.660:789): avc: denied { read } for pid=2471 comm="vim" name=".viminfo" dev="vda1" ino=6741 scontext=sysadm_u:sysadm_r:sysadm_passwd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Thu Feb 3 09:34:12 2022
type=AVC msg=audit(1643898852.661:790): avc: denied { read } for pid=2471 comm="vim" name=".viminfo" dev="vda1" ino=6741 scontext=sysadm_u:sysadm_r:sysadm_passwd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Thu Feb 3 09:34:17 2022
type=AVC msg=audit(1643898857.352:791): avc: denied { read } for pid=2471 comm="vim" name=".viminfo" dev="vda1" ino=6741 scontext=sysadm_u:sysadm_r:sysadm_passwd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
I didn't find any AVC's related with sss_cache.
This is my vm, clear installation without any modifications but creating staff user:
f35# vipw
You have modified /etc/passwd.
You may need to modify /etc/shadow for consistency.
Please use the command 'vipw -s' to do so.
vipw: cannot execute /usr/sbin/sss_cache: Permission denied
f35# id
uid=0(root) gid=0(root) groups=0(root) context=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
f35# ls -lZ /usr/sbin/sss_cache
-rwxr-xr-x. 1 root root system_u:object_r:sssd_exec_t:s0 36656 Jan 25 07:03 /usr/sbin/sss_cache
----
type=PROCTITLE msg=audit(02/03/2022 09:48:44.206:981) : proctitle=vim /etc/passwd.edit
type=PATH msg=audit(02/03/2022 09:48:44.206:981) : item=0 name=/root/.viminfo inode=99352 dev=00:1f mode=file,600 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/03/2022 09:48:44.206:981) : cwd=/root
type=SYSCALL msg=audit(02/03/2022 09:48:44.206:981) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55626a7564d0 a2=O_RDONLY a3=0x0 items=1 ppid=59440 pid=59441 auid=unknown(1001) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=6 comm=vim exe=/usr/bin/vim subj=staff_u:sysadm_r:sysadm_passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/03/2022 09:48:44.206:981) : avc: denied { read } for pid=59441 comm=vim name=.viminfo dev="sda2" ino=99352 scontext=staff_u:sysadm_r:sysadm_passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
type=AVC msg=audit(02/03/2022 09:48:44.207:982) : avc: denied { read } for pid=59418 comm=auditd name=passwd dev="sda2" ino=99367 scontext=system_u:system_r:auditd_t:s0 tcontext=staff_u:object_r:shadow_t:s0 tclass=file permissive=0
----
type=PROCTITLE msg=audit(02/03/2022 09:48:44.211:983) : proctitle=vipw
type=PATH msg=audit(02/03/2022 09:48:44.211:983) : item=0 name=/usr/sbin/sss_cache inode=28430 dev=00:1f mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/03/2022 09:48:44.211:983) : cwd=/root
type=SYSCALL msg=audit(02/03/2022 09:48:44.211:983) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x559e63f658f3 a1=0x7ffe55a68750 a2=0x7ffe55a68748 a3=0x7fa19a0e7008 items=1 ppid=59439 pid=59452 auid=unknown(1001) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=6 comm=vipw exe=/usr/sbin/vipw subj=staff_u:sysadm_r:sysadm_passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/03/2022 09:48:44.211:983) : avc: denied { execute } for pid=59452 comm=vipw name=sss_cache dev="sda2" ino=28430 scontext=staff_u:sysadm_r:sysadm_passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_exec_t:s0 tclass=file permissive=0
----
When I set permissive mod and modify files by vipw utility print also a new AVC's:
----
time->Thu Feb 3 11:15:47 2022
type=AVC msg=audit(1643904947.716:694): avc: denied { read } for pid=1133 comm="vim" name=".viminfo" dev="vda1" ino=6755 scontext=staff_u:sysadm_r:sysadm_passwd_t:s0 tcontext=staff_u:object_r:admin_home_t:s0 tclass=file permissive=1
----
time->Thu Feb 3 11:15:47 2022
type=AVC msg=audit(1643904947.717:695): avc: denied { open } for pid=1133 comm="vim" path="/root/.viminfo" dev="vda1" ino=6755 scontext=staff_u:sysadm_r:sysadm_passwd_t:s0 tcontext=staff_u:object_r:admin_home_t:s0 tclass=file permissive=1
----
time->Thu Feb 3 11:15:52 2022
type=AVC msg=audit(1643904952.419:696): avc: denied { create } for pid=1133 comm="vim" name=".viminfo.tmp" scontext=staff_u:sysadm_r:sysadm_passwd_t:s0 tcontext=staff_u:object_r:admin_home_t:s0 tclass=file permissive=1
----
time->Thu Feb 3 11:15:52 2022
type=AVC msg=audit(1643904952.420:697): avc: denied { write } for pid=1133 comm="vim" path="/root/.viminfo.tmp" dev="vda1" ino=6764 scontext=staff_u:sysadm_r:sysadm_passwd_t:s0 tcontext=staff_u:object_r:admin_home_t:s0 tclass=file permissive=1
----
time->Thu Feb 3 11:15:52 2022
type=AVC msg=audit(1643904952.421:698): avc: denied { unlink } for pid=1133 comm="vim" name=".viminfo" dev="vda1" ino=6755 scontext=staff_u:sysadm_r:sysadm_passwd_t:s0 tcontext=staff_u:object_r:admin_home_t:s0 tclass=file permissive=1
----
time->Thu Feb 3 11:15:52 2022
type=AVC msg=audit(1643904952.422:699): avc: denied { rename } for pid=1133 comm="vim" name=".viminfo.tmp" dev="vda1" ino=6764 scontext=staff_u:sysadm_r:sysadm_passwd_t:s0 tcontext=staff_u:object_r:admin_home_t:s0 tclass=file permissive=1
This bug appears to have been reported against 'rawhide' during the Fedora 36 development cycle. Changing version to 36. |