Bug 2112729

Summary: Confined SELinux user 'staff_u' cannot run probes from scap-workbench if privilege escalation performed by polkit
Product: Red Hat Enterprise Linux 9 Reporter: Daniel Reynolds <dareynol>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact: Petr Hybl <phybl>
Priority: low    
Version: unspecifiedCC: lvrabec, mjahoda, mmalik, phybl, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: 9.3Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-38.1.16-1.el9 Doc Type: Bug Fix
Doc Text:
.Users in the `staff_r` SELinux role can now run `scap_workbench` probes Previously, the `selinux-policy` packages did not contain rules for users in the `staff_r` SELinux role required to run the `scap-workbench` utility. Consequently, `scap-workbench` probes failed when run by user in the `staff_r` SELinux role. With this update, the missing rules have been added to `selinux-policy`, and SELinux users can now run `scap_workbench` probes.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-07 08:52:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daniel Reynolds 2022-08-01 01:28:45 UTC 
1. Proposed title of this feature request

polkit SELinux transitions

2. Who is the customer behind the request?

Account: 1158984 - BAE Systems Australia Ltd
TAM customer: no
CSM customer: no
Strategic: no

3. What is the nature and description of the request?

When running a system that confines users to SELinux user staff_u, users performing probes from scap-workbench cause many AVC errors and probe fails.

4. Why does the customer need this? (List the business requirements here)

To allow constrained 'staff_u' users to run probes from SCAP-workbench

5. How would the customer like to achieve this? (List the functional requirements here)

Request is to provide a method for scap-workbench to perform probes by a constrained user staff_u by either:
- Allow polkit to change SELinux context of new processes.
- Introduce new SELinux domains for oscap and scap-workbench that allow constrained user staff_u to run probes.

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

a. Set up a SELinux constrained user 'staff_u'.
b. Configure user to be an administrator (e.g. member of wheel).
c. Install SCAP-workbench.
d. Successfully run SCAP-workbench from menu, authenticate via polkit, and run a probe on local system without SELinux denials.

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?

No

8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL8, RHEL9)?

No

9. Is the sales team involved in this request and do they have any additional input?

No

10. List any affected packages or components.

scap-workbench,
selinux-policy
polkit

11. Would the customer be able to assist in testing this functionality if implemented?

Yes
Comment 1 Zdenek Pytela 2022-08-05 19:09:25 UTC 
Daniel,

Can you describe which instructions were followed to get to this setup?

From SELinux perspective the problem is that a Linux user in the staff_r role is a SELinux confined user, while a SELinux confined administrator rather has the sysadm_r role (and a few dedicated ones which probably do not apply here).

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/managing-confined-and-unconfined-users_using-selinux
Comment 2 Daniel Reynolds 2022-08-08 03:57:20 UTC 
Hello Zdenek

Re

> Can you describe which instructions were followed to get to this setup?

1. Cu has started to migrate users to staff_u.

2. To run administrative commands they use the following configuration

    Users assigned to 'wheel' group.

    The following configuration in /etc/sudoers to allow the transition; staff_r -> sysadm_t.
    ~~~
    %wheel_sysadm  ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_r   ALL
    ~~~

3. Works for most administrative functions.

4. Using scap-workbench from GUI.

    scap-workbench does not use 'sudo' for privilege escalation to root, uses polkit.

    polkit does not perform transition from staff_r -> sysadm_r.

    polkit probe runs as staff_r instead of sysadm_r.  Most of the probe fails with AVC denials despite running as root.

5. As a work around, user is running scap-workbench via sudo.


Regards.
Comment 3 Daniel Reynolds 2022-08-08 03:58:39 UTC 
Correction to above

/etc/sudoers configuration is as follows

~~~
%wheel_sysadm  ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t   ALL
~~~
Comment 4 Nikola Knazekova 2022-09-02 06:00:59 UTC 
Hi Daniel,

can you please attach AVC messages? 

Thanks

Nikola
Comment 10 Daniel Reynolds 2022-09-09 04:37:06 UTC 
Supplied AVC as requested.  See above.
Comment 27 Nikola Knazekova 2023-06-14 14:22:51 UTC 
PR: https://github.com/fedora-selinux/selinux-policy/pull/1708
Comment 29 Zdenek Pytela 2023-06-23 09:33:57 UTC 
Commit to bckport:
3d4190dbd (HEAD -> rawhide, upstream/rawhide) Add list_dir_perms to kerberos_read_keytab
Comment 43 errata-xmlrpc 2023-11-07 08:52:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6617