Bug 2054657

Summary:	SELinux prevents the chage process from executing the sss_cache program
Product:	Red Hat Enterprise Linux 9	Reporter:	Filip Dvorak <fdvorak>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	9.0	CC:	cjeanner, lvrabec, mmalik, sandyada, ssekidde
Target Milestone:	rc	Keywords:	AutoVerified, Triaged
Target Release:	9.0	Flags:	pm-rhel: mirror+
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-34.1.27-1.el9	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:
Clones:	2054718 (view as bug list)		Environment:
Last Closed:	2022-05-17 15:50:20 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	2057261

Description Filip Dvorak 2022-02-15 12:47:00 UTC

Description of problem:
there is a AVC message when the command chage is used.

Version-Release number of selected component (if applicable):
selinux-policy-34.1.24-1.el9.noarch
RHEL9

Steps to Reproduce:
1.create a user with some passwoed and use "chage -m 1 -M 90 alice"

Actual results:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33
selinux-policy-34.1.24-1.el9.noarch
----
time->Mon Feb 14 11:05:32 2022
type=PROCTITLE msg=audit(1644854732.203:3013): proctitle=6368616765002D2D6C6173746461790031002D2D6D617864617973003100627A373533373634
type=SYSCALL msg=audit(1644854732.203:3013): arch=c000003e syscall=59 success=no exit=-13 a0=55a24bba9d8a a1=7ffc08331630 a2=7ffc08331628 a3=7fd01cab2008 items=0 ppid=102517 pid=102520 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="chage" exe="/usr/bin/chage" subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1644854732.203:3013): avc:  denied  { execute } for  pid=102520 comm="chage" name="sss_cache" dev="vda4" ino=4596 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_exec_t:s0 tclass=file permissive=0


Expected results:
No AVC message.

Comment 2 Milos Malik 2022-02-15 14:21:17 UTC

Caught in enforcing mode:

# chage -m 1 -M 90 alice
chage: cannot execute /usr/sbin/sss_cache: Permission denied
#

----
type=PROCTITLE msg=audit(02/15/2022 09:18:24.688:429) : proctitle=chage -m 1 -M 90 alice 
type=PATH msg=audit(02/15/2022 09:18:24.688:429) : item=0 name=/usr/sbin/sss_cache inode=6802998 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/15/2022 09:18:24.688:429) : cwd=/root 
type=SYSCALL msg=audit(02/15/2022 09:18:24.688:429) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x56158fb26d8a a1=0x7fff96782950 a2=0x7fff96782948 a3=0x7f1d57889008 items=1 ppid=5674 pid=5677 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=chage exe=/usr/bin/chage subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(02/15/2022 09:18:24.688:429) : avc:  denied  { execute } for  pid=5677 comm=chage name=sss_cache dev="vda1" ino=6802998 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_exec_t:s0 tclass=file permissive=0 
----

Caught in permissive mode:

# chage -m 1 -M 90 alice
#

----
type=PROCTITLE msg=audit(02/15/2022 09:19:34.552:435) : proctitle=sss_cache -UG 
type=PATH msg=audit(02/15/2022 09:19:34.552:435) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=6413786 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(02/15/2022 09:19:34.552:435) : item=0 name=/usr/sbin/sss_cache inode=6802998 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/15/2022 09:19:34.552:435) : cwd=/root 
type=EXECVE msg=audit(02/15/2022 09:19:34.552:435) : argc=2 a0=sss_cache a1=-UG 
type=SYSCALL msg=audit(02/15/2022 09:19:34.552:435) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x555f0b935d8a a1=0x7ffc8a1d36d0 a2=0x7ffc8a1d36c8 a3=0x7f29cfb02008 items=2 ppid=5681 pid=5684 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(02/15/2022 09:19:34.552:435) : avc:  denied  { map } for  pid=5684 comm=sss_cache path=/usr/sbin/sss_cache dev="vda1" ino=6802998 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(02/15/2022 09:19:34.552:435) : avc:  denied  { execute_no_trans } for  pid=5684 comm=chage path=/usr/sbin/sss_cache dev="vda1" ino=6802998 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(02/15/2022 09:19:34.552:435) : avc:  denied  { read open } for  pid=5684 comm=chage path=/usr/sbin/sss_cache dev="vda1" ino=6802998 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(02/15/2022 09:19:34.552:435) : avc:  denied  { execute } for  pid=5684 comm=chage name=sss_cache dev="vda1" ino=6802998 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_exec_t:s0 tclass=file permissive=1 
----

Comment 4 Zdenek Pytela 2022-02-16 19:57:28 UTC

To backport:
commit f540263f5ffcf315b970ca6428b2f04ff5c13f59
Author: Zdenek Pytela <zpytela>
Date:   Wed Feb 16 16:57:08 2022 +0100

    Allow chage domtrans to sssd

Comment 12 Cédric Jeanneret 2022-02-23 07:44:17 UTC

*** Bug 2057297 has been marked as a duplicate of this bug. ***

Comment 14 errata-xmlrpc 2022-05-17 15:50:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: selinux-policy), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3918

Comment 15 Sandeep Yadav 2022-05-18 09:25:39 UTC

*** Bug 2057261 has been marked as a duplicate of this bug. ***