Bug 2054718

Summary: SELinux prevents the chage process from executing the sss_cache program
Product: Red Hat Enterprise Linux 8 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.6CC: fdvorak, lvrabec, mmalik, ssekidde, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: 8.6Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-92.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 2054657 Environment:
Last Closed: 2022-05-10 15:15:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2022-02-15 15:05:55 UTC 
+++ This bug was initially created as a clone of Bug #2054657 +++

Description of problem:
# chage -d 0 test-user
chage: cannot execute /usr/sbin/sss_cache: Permission denied
#

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-91.el8.noarch
selinux-policy-targeted-3.14.3-91.el8.noarch

Steps to Reproduce:
1. create a user with some password
2. chage -d 0 test-user
3. search for SELinux denials

Actual results (enforcing mode):
----
type=PROCTITLE msg=audit(02/15/2022 16:04:12.036:1591) : proctitle=chage -d 0 test-user 
type=PATH msg=audit(02/15/2022 16:04:12.036:1591) : item=0 name=/usr/sbin/sss_cache inode=8920535 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/15/2022 16:04:12.036:1591) : cwd=/root 
type=SYSCALL msg=audit(02/15/2022 16:04:12.036:1591) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x55a73e1a7250 a1=0x7ffeecce2690 a2=0x7ffeecce2688 a3=0x7f125fce4840 items=1 ppid=104530 pid=104533 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=127 comm=chage exe=/usr/bin/chage subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(02/15/2022 16:04:12.036:1591) : avc:  denied  { execute } for  pid=104533 comm=chage name=sss_cache dev="vda2" ino=8920535 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_exec_t:s0 tclass=file permissive=0 
----

Expected results:
 * no SELinux denials
 * no error messages when running the chage program
Comment 1 Milos Malik 2022-02-15 15:07:29 UTC 
Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(02/15/2022 16:06:28.363:1615) : proctitle=sss_cache -UG 
type=PATH msg=audit(02/15/2022 16:06:28.363:1615) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=9615754 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(02/15/2022 16:06:28.363:1615) : item=0 name=/usr/sbin/sss_cache inode=8920535 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/15/2022 16:06:28.363:1615) : cwd=/root 
type=EXECVE msg=audit(02/15/2022 16:06:28.363:1615) : argc=2 a0=sss_cache a1=-UG 
type=SYSCALL msg=audit(02/15/2022 16:06:28.363:1615) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x563b44d1a250 a1=0x7ffd43c04ad0 a2=0x7ffd43c04ac8 a3=0x7f9068436840 items=2 ppid=105709 pid=105712 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=127 comm=sss_cache exe=/usr/sbin/sss_cache subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(02/15/2022 16:06:28.363:1615) : avc:  denied  { map } for  pid=105712 comm=sss_cache path=/usr/sbin/sss_cache dev="vda2" ino=8920535 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(02/15/2022 16:06:28.363:1615) : avc:  denied  { execute_no_trans } for  pid=105712 comm=chage path=/usr/sbin/sss_cache dev="vda2" ino=8920535 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(02/15/2022 16:06:28.363:1615) : avc:  denied  { read open } for  pid=105712 comm=chage path=/usr/sbin/sss_cache dev="vda2" ino=8920535 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(02/15/2022 16:06:28.363:1615) : avc:  denied  { execute } for  pid=105712 comm=chage name=sss_cache dev="vda2" ino=8920535 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_exec_t:s0 tclass=file permissive=1 
----
Comment 12 errata-xmlrpc 2022-05-10 15:15:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995