Bug 2123260
| Summary: | SELinux prevents confined users (staff_u, sysadm_u) from successfully running vlock | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.1 | CC: | dareynol, lvrabec, mmalik, nknazeko |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 9.2 | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 2122838 | Environment: | |
| Last Closed: | 2023-05-09 08:16:32 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Deadline: | 2022-11-22 | ||
|
Description
Milos Malik
2022-09-01 09:13:10 UTC
SELinux denials caught in enforcing mode after removal of dontaudit rules:
----
type=PROCTITLE msg=audit(09/01/2022 11:07:50.940:572) : proctitle=vlock
type=PATH msg=audit(09/01/2022 11:07:50.940:572) : item=0 name=/dev/pts/0 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(09/01/2022 11:07:50.940:572) : cwd=/home/staff-user
type=SYSCALL msg=audit(09/01/2022 11:07:50.940:572) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x556028a0f5a0 a2=0x7ffd68c392e0 a3=0x0 items=1 ppid=4605 pid=6150 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=pts0 ses=5 comm=vlock exe=/usr/bin/vlock subj=staff_u:staff_r:vlock_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(09/01/2022 11:07:50.940:572) : avc: denied { search } for pid=6150 comm=vlock name=/ dev="devpts" ino=1 scontext=staff_u:staff_r:vlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devpts_t:s0 tclass=dir permissive=0
----
type=PROCTITLE msg=audit(09/01/2022 11:07:50.940:573) : proctitle=vlock
type=PATH msg=audit(09/01/2022 11:07:50.940:573) : item=0 name=/dev/pts/ inode=1 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:devpts_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(09/01/2022 11:07:50.940:573) : cwd=/home/staff-user
type=SYSCALL msg=audit(09/01/2022 11:07:50.940:573) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x556028a0f5a0 a2=0x7ffd68c392e0 a3=0x0 items=1 ppid=4605 pid=6150 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=pts0 ses=5 comm=vlock exe=/usr/bin/vlock subj=staff_u:staff_r:vlock_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(09/01/2022 11:07:50.940:573) : avc: denied { getattr } for pid=6150 comm=vlock path=/dev/pts dev="devpts" ino=1 scontext=staff_u:staff_r:vlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devpts_t:s0 tclass=dir permissive=0
----
The following policy module solved the problem on my VM:
# cat mypolicy.cil
( allow vlock_t devpts_t ( dir ( getattr search )))
# semodule -i mypolicy.cil
#
The following policy rules (generated by audit2allow from the ausearch output) are not necessary for running the vlock command successfully:
#============= vlock_t ==============
allow vlock_t apm_bios_t:chr_file getattr;
allow vlock_t autofs_device_t:chr_file getattr;
allow vlock_t cachefiles_device_t:chr_file getattr;
allow vlock_t clock_device_t:chr_file getattr;
allow vlock_t dma_device_t:chr_file getattr;
allow vlock_t event_device_t:chr_file getattr;
allow vlock_t fixed_disk_device_t:blk_file getattr;
allow vlock_t framebuf_device_t:chr_file getattr;
allow vlock_t fuse_device_t:chr_file getattr;
allow vlock_t gpmctl_t:sock_file getattr;
allow vlock_t hugetlbfs_t:dir getattr;
allow vlock_t initctl_t:fifo_file getattr;
allow vlock_t kmsg_device_t:chr_file getattr;
allow vlock_t kvm_device_t:chr_file getattr;
allow vlock_t loop_control_device_t:chr_file getattr;
allow vlock_t memory_device_t:chr_file getattr;
allow vlock_t netcontrol_device_t:chr_file getattr;
allow vlock_t nvram_device_t:chr_file getattr;
allow vlock_t ppp_device_t:chr_file getattr;
allow vlock_t printer_device_t:chr_file getattr;
allow vlock_t proc_kcore_t:file getattr;
allow vlock_t ptmx_t:chr_file getattr;
allow vlock_t tty_device_t:chr_file getattr;
allow vlock_t uhid_device_t:chr_file getattr;
allow vlock_t usbmon_device_t:chr_file getattr;
allow vlock_t vhost_device_t:chr_file getattr;
allow vlock_t virtio_device_t:chr_file getattr;
allow vlock_t watchdog_device_t:chr_file getattr;
allow vlock_t wireless_device_t:chr_file getattr;
allow vlock_t xserver_misc_device_t:chr_file getattr;
Resolved with the rebase:
rhel92# sesearch -A -s vlock_t -t devpts_t -c dir -p search
allow vlock_t devpts_t:dir { getattr open search };
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2483 |