Bug 2101341
| Summary: | AVC when executing "subscription-manager" as sudo'ed sysadm_t | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | low | Docs Contact: | Petr Hybl <phybl> |
| Priority: | low | ||
| Version: | 8.6 | CC: | jafiala, lvrabec, mmalik, phybl, ptoscano, zpytela |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.8 | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.3-109.el8 | Doc Type: | Bug Fix |
| Doc Text: |
.SELinux policy allows `sysadm_r` to use `subscription-manager`
Previously, users in the `sysadm_r` SELinux role were not allowed to execute some subcommands of the `subscription-manager` utility. Consequently, the subcommands failed to read the memory device. This update adds a new rule to the SELinux policy that allows the `sysadm_t type` to read `/dev/mem`. As a consequence, the `subscription-manager` subcommands do not fail.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-16 09:03:44 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Pino, subscription manager seems to request reading of /dev/mem directly: is this expected and should we allow it in the policy? (In reply to Zdenek Pytela from comment #1) > subscription manager seems to request reading of /dev/mem directly: is this > expected and should we allow it in the policy? Unfortunately it is expected: we use python-dmidecode to read SMBIOS/DMI details of the system, and that Python module reads /dev/mem directly. Curiously enough: this way does not work in kernel_lockdown mode, enforced when Secure Boot is enabled by newer kernels. In particular, subscription-manager in RHEL 9 had to switch away from python-dmidecode: bug 2101341. (It was changed in 9.0z released a couple of days ago, and of course in 9.1.) It is interesting that this came up only now, as subscription-manager had been using python-dmidecode for many years. So yeah, in RHEL 8 we need this SELinux rule. (In reply to Pino Toscano from comment #2) > > subscription manager seems to request reading of /dev/mem directly: is this > > expected and should we allow it in the policy? > > Unfortunately it is expected: we use python-dmidecode to read SMBIOS/DMI > details of the system, and that Python module reads /dev/mem directly. > > Curiously enough: this way does not work in kernel_lockdown mode, enforced > when Secure Boot is enabled by newer kernels. > In particular, subscription-manager in RHEL 9 had to switch away from > python-dmidecode: bug 2101341. > (It was changed in 9.0z released a couple of days ago, and of course in 9.1.) > > It is interesting that this came up only now, as subscription-manager had > been using python-dmidecode for many years. I suppose this only pops up when SELinux confined users are in place, see the attached KCS for reproducer. > So yeah, in RHEL 8 we need this SELinux rule. Thank you. Commit to backport:
commit c95cf07cea17f548daee8f47b9580120b63dedc2 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date: Thu Aug 11 16:47:57 2022 +0200
Allow sysadm_t read raw memory devices
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2965 |
Description of problem: Users mapped to sysadm_u get AVCs when executing "subscription-manager register" command (but also "subscription-manager repos"): -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- type=PROCTITLE msg=audit(06/27/2022 09:37:51.112:127) : proctitle=/usr/libexec/platform-python /sbin/subscription-manager register --username rhn-support-rmetrich type=SYSCALL msg=audit(06/27/2022 09:37:51.112:127) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f5c6f4f6a63 a2=O_RDONLY a3=0x0 items=0 ppid=1687 pid=1795 auid=sysadm uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=subscription-ma exe=/usr/libexec/platform-python3.6 subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(06/27/2022 09:37:51.112:127) : avc: denied { read } for pid=1795 comm=subscription-ma name=mem dev="devtmpfs" ino=9361 scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file permissive=0 -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Even though that read fails, the command *seems* to be a success in the end. I get this while reproducing an issue for a customer having RHEL7, but here above it's RHEL8. Version-Release number of selected component (if applicable): subscription-manager-1.28.29-3.el8.x86_64 selinux-policy-targeted-3.14.3-95.el8.noarch How reproducible: Always Steps to Reproduce: 1. Setup an admin user mapped to "staff_u" or "sysadm_u" 2. Login as the user and "sudo -r sysadm_r -t sysadm_t -i" 3. Execute "subscription-manager register" command Actual results: AVC above Expected results: No AVC