Bug 2053457

Summary: sysadm_passwd_t requires to execute sss_cache
Product: Red Hat Enterprise Linux 8 Reporter: Zdenek Pytela <zpytela>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.5CC: dwalsh, extras-qa, grepl.miroslav, lvrabec, mmalik, omosnace, pkoncity, ssekidde, vmojzis, zpytela
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: 8.6   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-93.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 2049018 Environment:
Last Closed: 2022-05-10 15:15:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2049018, 2053458    
Bug Blocks: 1778780    

Description Zdenek Pytela 2022-02-11 11:33:33 UTC 
+++ This bug was initially created as a clone of Bug #2049018 +++

Description of problem:
After applying the fix for bz#2022690, vipw starts to require to execute /usr/sbin/sss_cache

Version-Release number of selected component (if applicable):
selinux-policy-35.12-1.20220131_142255.f469c48.fc36.noarch
sssd-common-2.6.2-2.fc36.x86_64

How reproducible:
always

Steps to Reproduce:
1. Use a confined sysadmin to run vipw

Actual results:

----
type=PROCTITLE msg=audit(02/01/2022 05:20:45.848:1328) : proctitle=vipw -s
type=PATH msg=audit(02/01/2022 05:20:45.848:1328) : item=0 name=/usr/sbin/sss_cache inode=150667 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/01/2022 05:20:45.848:1328) : cwd=/root
type=SYSCALL msg=audit(02/01/2022 05:20:45.848:1328) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x55d0c02258f3 a1=0x7fff6d6b0970 a2=0x7fff6d6b0968 a3=0x7f7d3e76c088 items=1 ppid=5683 pid=5688 auid=staff uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=5 comm=vipw exe=/usr/sbin/vipw subj=staff_u:sysadm_r:sysadm_passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/01/2022 05:20:45.848:1328) : avc:  denied  { execute } for  pid=5688 comm=vipw name=sss_cache dev="vda1" ino=150667 scontext=staff_u:sysadm_r:sysadm_passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_exec_t:s0 tclass=file permissive=0
[root@ci-vm-10-0-138-143 ~]#

Expected results:


Additional info:

--- Additional comment from Patrik Koncity on 2022-02-03 15:36:56 CET ---

After using 

$ sudo -r sysadm_r vipw 
or
$ sudo -r sysadm_r vipw -s

for sysadm user see only this AVC's.

time->Thu Feb  3 09:34:06 2022
type=AVC msg=audit(1643898846.007:779): avc:  denied  { read } for  pid=2466 comm="vim" name=".viminfo" dev="vda1" ino=6741 scontext=sysadm_u:sysadm_r:sysadm_passwd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Thu Feb  3 09:34:06 2022
type=AVC msg=audit(1643898846.010:780): avc:  denied  { read } for  pid=2466 comm="vim" name=".viminfo" dev="vda1" ino=6741 scontext=sysadm_u:sysadm_r:sysadm_passwd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Thu Feb  3 09:34:07 2022
type=AVC msg=audit(1643898847.857:781): avc:  denied  { read } for  pid=2466 comm="vim" name=".viminfo" dev="vda1" ino=6741 scontext=sysadm_u:sysadm_r:sysadm_passwd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Thu Feb  3 09:34:12 2022
type=AVC msg=audit(1643898852.660:789): avc:  denied  { read } for  pid=2471 comm="vim" name=".viminfo" dev="vda1" ino=6741 scontext=sysadm_u:sysadm_r:sysadm_passwd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Thu Feb  3 09:34:12 2022
type=AVC msg=audit(1643898852.661:790): avc:  denied  { read } for  pid=2471 comm="vim" name=".viminfo" dev="vda1" ino=6741 scontext=sysadm_u:sysadm_r:sysadm_passwd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Thu Feb  3 09:34:17 2022
type=AVC msg=audit(1643898857.352:791): avc:  denied  { read } for  pid=2471 comm="vim" name=".viminfo" dev="vda1" ino=6741 scontext=sysadm_u:sysadm_r:sysadm_passwd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0


I didn't find any AVC's related with sss_cache.

--- Additional comment from Zdenek Pytela on 2022-02-03 15:50:31 CET ---

This is my vm, clear installation without any modifications but creating staff user:

f35# vipw
You have modified /etc/passwd.
You may need to modify /etc/shadow for consistency.
Please use the command 'vipw -s' to do so.
vipw: cannot execute /usr/sbin/sss_cache: Permission denied
f35# id
uid=0(root) gid=0(root) groups=0(root) context=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
f35# ls -lZ /usr/sbin/sss_cache
-rwxr-xr-x. 1 root root system_u:object_r:sssd_exec_t:s0 36656 Jan 25 07:03 /usr/sbin/sss_cache
 
----
type=PROCTITLE msg=audit(02/03/2022 09:48:44.206:981) : proctitle=vim /etc/passwd.edit 
type=PATH msg=audit(02/03/2022 09:48:44.206:981) : item=0 name=/root/.viminfo inode=99352 dev=00:1f mode=file,600 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/03/2022 09:48:44.206:981) : cwd=/root 
type=SYSCALL msg=audit(02/03/2022 09:48:44.206:981) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55626a7564d0 a2=O_RDONLY a3=0x0 items=1 ppid=59440 pid=59441 auid=unknown(1001) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=6 comm=vim exe=/usr/bin/vim subj=staff_u:sysadm_r:sysadm_passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/03/2022 09:48:44.206:981) : avc:  denied  { read } for  pid=59441 comm=vim name=.viminfo dev="sda2" ino=99352 scontext=staff_u:sysadm_r:sysadm_passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
type=AVC msg=audit(02/03/2022 09:48:44.207:982) : avc:  denied  { read } for  pid=59418 comm=auditd name=passwd dev="sda2" ino=99367 scontext=system_u:system_r:auditd_t:s0 tcontext=staff_u:object_r:shadow_t:s0 tclass=file permissive=0
----
type=PROCTITLE msg=audit(02/03/2022 09:48:44.211:983) : proctitle=vipw
type=PATH msg=audit(02/03/2022 09:48:44.211:983) : item=0 name=/usr/sbin/sss_cache inode=28430 dev=00:1f mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/03/2022 09:48:44.211:983) : cwd=/root
type=SYSCALL msg=audit(02/03/2022 09:48:44.211:983) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x559e63f658f3 a1=0x7ffe55a68750 a2=0x7ffe55a68748 a3=0x7fa19a0e7008 items=1 ppid=59439 pid=59452 auid=unknown(1001) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=6 comm=vipw exe=/usr/sbin/vipw subj=staff_u:sysadm_r:sysadm_passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/03/2022 09:48:44.211:983) : avc:  denied  { execute } for  pid=59452 comm=vipw name=sss_cache dev="sda2" ino=28430 scontext=staff_u:sysadm_r:sysadm_passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_exec_t:s0 tclass=file permissive=0
----

--- Additional comment from Patrik Koncity on 2022-02-03 17:20:42 CET ---

When I set permissive mod and modify files by vipw utility print also a new AVC's:  

----
time->Thu Feb  3 11:15:47 2022
type=AVC msg=audit(1643904947.716:694): avc:  denied  { read } for  pid=1133 comm="vim" name=".viminfo" dev="vda1" ino=6755 scontext=staff_u:sysadm_r:sysadm_passwd_t:s0 tcontext=staff_u:object_r:admin_home_t:s0 tclass=file permissive=1
----
time->Thu Feb  3 11:15:47 2022
type=AVC msg=audit(1643904947.717:695): avc:  denied  { open } for  pid=1133 comm="vim" path="/root/.viminfo" dev="vda1" ino=6755 scontext=staff_u:sysadm_r:sysadm_passwd_t:s0 tcontext=staff_u:object_r:admin_home_t:s0 tclass=file permissive=1
----
time->Thu Feb  3 11:15:52 2022
type=AVC msg=audit(1643904952.419:696): avc:  denied  { create } for  pid=1133 comm="vim" name=".viminfo.tmp" scontext=staff_u:sysadm_r:sysadm_passwd_t:s0 tcontext=staff_u:object_r:admin_home_t:s0 tclass=file permissive=1
----
time->Thu Feb  3 11:15:52 2022
type=AVC msg=audit(1643904952.420:697): avc:  denied  { write } for  pid=1133 comm="vim" path="/root/.viminfo.tmp" dev="vda1" ino=6764 scontext=staff_u:sysadm_r:sysadm_passwd_t:s0 tcontext=staff_u:object_r:admin_home_t:s0 tclass=file permissive=1
----
time->Thu Feb  3 11:15:52 2022
type=AVC msg=audit(1643904952.421:698): avc:  denied  { unlink } for  pid=1133 comm="vim" name=".viminfo" dev="vda1" ino=6755 scontext=staff_u:sysadm_r:sysadm_passwd_t:s0 tcontext=staff_u:object_r:admin_home_t:s0 tclass=file permissive=1
----
time->Thu Feb  3 11:15:52 2022
type=AVC msg=audit(1643904952.422:699): avc:  denied  { rename } for  pid=1133 comm="vim" name=".viminfo.tmp" dev="vda1" ino=6764 scontext=staff_u:sysadm_r:sysadm_passwd_t:s0 tcontext=staff_u:object_r:admin_home_t:s0 tclass=file permissive=1

--- Additional comment from Ben Cotton on 2022-02-08 21:17:17 CET ---

This bug appears to have been reported against 'rawhide' during the Fedora 36 development cycle.
Changing version to 36.

--- Additional comment from Patrik Koncity on 2022-02-09 16:55:10 CET ---

PR: https://github.com/fedora-selinux/selinux-policy/pull/1046
Comment 2 Zdenek Pytela 2022-02-17 09:38:07 UTC 
To backport:
commit 9eec9eea6b6b74d8835928c32467f6edd749ff0e
Author: Patrik Koncity <pkoncity>
Date:   Fri Feb 4 12:04:16 2022 +0100

    Allow confined sysadmin to use tool vipw
Comment 16 errata-xmlrpc 2022-05-10 15:15:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995