Bug 2136189
| Summary: | Confined user sudo'ing with sysadm_r role sees journalctl AVCs | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> | |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 8.6 | CC: | lvrabec, mmalik, nknazeko | |
| Target Milestone: | rc | Keywords: | Triaged | |
| Target Release: | 8.8 | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.14.3-116.el8 | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2153782 (view as bug list) | Environment: | ||
| Last Closed: | 2023-05-16 09:04:17 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2153782 | |||
The issue happens when "journalctl" tries to change the limit for NOFILE:
~~~
1571 [journalctl_t] 10:22:54.471536 setrlimit(RLIMIT_NOFILE, {rlim_cur=16*1024, rlim_max=16*1024}) = -1 EPERM (Operation not permitted) <0.000009>
~~~
But the issue is seen only when we are "root". This is because "setrlimit()" fails earlier when being the user, from "trace-cmd" output:
- as staff user
~~~
journalctl-1861 [000] 870.439735: funcgraph_entry: | SyS_setrlimit() {
journalctl-1861 [000] 870.439744: funcgraph_entry: | __check_object_size() {
journalctl-1861 [000] 870.439744: funcgraph_entry: 0.038 us | static_key_enabled();
journalctl-1861 [000] 870.439744: funcgraph_entry: 0.046 us | __virt_addr_valid();
journalctl-1861 [000] 870.439745: funcgraph_entry: 0.047 us | check_stack_object();
journalctl-1861 [000] 870.439745: funcgraph_exit: 1.035 us | }
journalctl-1861 [000] 870.439745: funcgraph_entry: | do_prlimit() {
journalctl-1861 [000] 870.439745: funcgraph_entry: | tasklist_read_lock() {
journalctl-1861 [000] 870.439746: funcgraph_entry: 0.080 us | _raw_qread_lock();
journalctl-1861 [000] 870.439746: funcgraph_exit: 0.381 us | }
journalctl-1861 [000] 870.439746: funcgraph_entry: 0.045 us | _raw_spin_lock();
journalctl-1861 [000] 870.439747: funcgraph_entry: | capable() {
journalctl-1861 [000] 870.439747: funcgraph_entry: | ns_capable() {
journalctl-1861 [000] 870.439747: funcgraph_entry: | security_capable() {
journalctl-1861 [000] 870.439747: funcgraph_entry: | selinux_capable() {
journalctl-1861 [000] 870.439747: funcgraph_entry: 0.038 us | cap_capable();
journalctl-1861 [000] 870.439748: funcgraph_exit: 0.343 us | }
journalctl-1861 [000] 870.439748: funcgraph_exit: 0.725 us | }
journalctl-1861 [000] 870.439748: funcgraph_exit: 1.093 us | }
journalctl-1861 [000] 870.439748: funcgraph_exit: 1.441 us | }
journalctl-1861 [000] 870.439748: funcgraph_exit: 2.820 us | }
journalctl-1861 [000] 870.439748: funcgraph_exit: 4.642 us | }
~~~
- as root
~~~
journalctl-1997 [001] 1212.941396: funcgraph_entry: | SyS_setrlimit() {
journalctl-1997 [001] 1212.941397: funcgraph_entry: | __check_object_size() {
journalctl-1997 [001] 1212.941397: funcgraph_entry: 0.040 us | static_key_enabled();
journalctl-1997 [001] 1212.941398: funcgraph_entry: 0.045 us | __virt_addr_valid();
journalctl-1997 [001] 1212.941398: funcgraph_entry: 0.037 us | check_stack_object();
journalctl-1997 [001] 1212.941398: funcgraph_exit: 1.053 us | }
journalctl-1997 [001] 1212.941398: funcgraph_entry: | do_prlimit() {
journalctl-1997 [001] 1212.941399: funcgraph_entry: | tasklist_read_lock() {
journalctl-1997 [001] 1212.941399: funcgraph_entry: 0.073 us | _raw_qread_lock();
journalctl-1997 [001] 1212.941399: funcgraph_exit: 0.387 us | }
journalctl-1997 [001] 1212.941399: funcgraph_entry: 0.038 us | _raw_spin_lock();
journalctl-1997 [001] 1212.941400: funcgraph_entry: | capable() {
journalctl-1997 [001] 1212.941400: funcgraph_entry: | ns_capable() {
journalctl-1997 [001] 1212.941400: funcgraph_entry: | security_capable() {
journalctl-1997 [001] 1212.941400: funcgraph_entry: | selinux_capable() {
journalctl-1997 [001] 1212.941400: funcgraph_entry: 0.078 us | cap_capable();
journalctl-1997 [001] 1212.941401: funcgraph_entry: | cred_has_capability() {
journalctl-1997 [001] 1212.941401: funcgraph_entry: 0.042 us | avc_denied.isra.5();
journalctl-1997 [001] 1212.941402: funcgraph_entry: | slow_avc_audit() {
journalctl-1997 [001] 1212.941402: funcgraph_entry: | common_lsm_audit() {
journalctl-1997 [001] 1212.941402: funcgraph_entry: | audit_log_start() {
journalctl-1997 [001] 1212.941402: funcgraph_entry: 0.128 us | audit_filter();
journalctl-1997 [001] 1212.941403: funcgraph_entry: 0.037 us | _raw_spin_lock_irqsave();
journalctl-1997 [001] 1212.941403: funcgraph_entry: 0.045 us | _raw_spin_unlock_irqrestore();
journalctl-1997 [001] 1212.941404: funcgraph_entry: | __alloc_skb() {
journalctl-1997 [001] 1212.941404: funcgraph_entry: 0.087 us | kmem_cache_alloc_node();
journalctl-1997 [001] 1212.941404: funcgraph_entry: | __kmalloc_reserve.isra.32() {
journalctl-1997 [001] 1212.941404: funcgraph_entry: | __kmalloc_node_track_caller() {
journalctl-1997 [001] 1212.941405: funcgraph_entry: 0.043 us | kmalloc_slab();
journalctl-1997 [001] 1212.941405: funcgraph_exit: 0.468 us | }
journalctl-1997 [001] 1212.941405: funcgraph_exit: 0.847 us | }
...
~~~
I don't see the setrlimit permission denial in current RHEL 8 and 9 systems.
In RHEL 8, it seems to have been added 2 years ago:
commit 5993c18a7a9e368ed47774fb397d28f6adf88590
Author: Zdenek Pytela <zpytela>
Date: Tue Jun 23 12:15:10 2020 +0200
* Tue Jun 23 2020 Zdenek Pytela <zpytela> - 3.14.3-46
- Fix description tag for the sssd_connect_all_unreserved_ports tunable
Related: rhbz#1826748
- Allow journalctl process set its resource limits
Resolves: rhbz#1825894
commit ee1e214ca11e100778dacdadd41820c8fa8290cb
Author: Zdenek Pytela <zpytela>
Date: Thu Jun 18 16:33:59 2020 +0200
Allow journalctl process set its resource limits
Resolves: rhbz#1825894
diff --git a/journalctl.te b/journalctl.te
index 8f9792517..4a7d5ccb4 100644
--- a/journalctl.te
+++ b/journalctl.te
@@ -18,7 +18,7 @@ role journalctl_roles types journalctl_t;
#
# journalctl local policy
#
-allow journalctl_t self:process { fork signal_perms };
+allow journalctl_t self:process { fork setrlimit signal_perms };
The sys_resource capability is only required when a pager is invoked together with journalctl.
type=PROCTITLE msg=audit(12/14/22 09:31:38.348:376) : proctitle=(pager)
type=SYSCALL msg=audit(12/14/22 09:31:38.348:376) : arch=x86_64 syscall=prctl success=no exit=EPERM(Operation not permitted) a0=PR_SET_MM a1=0x8 a2=0x7f08d6792000 a3=0x0 items=0 ppid=29105 pid=29106 auid=staff uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=10 comm=(pager) exe=/usr/bin/journalctl subj=staff_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(12/14/22 09:31:38.348:376) : avc: denied { sys_resource } for pid=29106 comm=(pager) capability=sys_resource scontext=staff_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tclass=capability permissive=0
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2965 |
Description of problem: When becoming root from staff_u to staff_u:sysadm_r:sysadm_t (thanks to usual rule on %wheel group), the admin gets harmless AVCs related to the journal when executing journalctl command: ~~~ # ausearch -m avc,user_avc -ts recent ---- time->Wed Oct 19 16:31:06 2022 type=USER_AVC msg=audit(1666189866.541:220): pid=1081 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: received policyload notice (seqno=2) exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->Wed Oct 19 16:31:53 2022 type=SYSCALL msg=audit(1666189913.115:242): arch=c000003e syscall=157 success=no exit=-1 a0=23 a1=8 a2=7f5c33123000 a3=0 items=0 ppid=5559 pid=5560 auid=1005 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=17 comm="(pager)" exe="/usr/bin/journalctl" subj=staff_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1666189913.115:242): avc: denied { sys_resource } for pid=5560 comm="(pager)" capability=24 scontext=staff_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tclass=capability permissive=0 ---- time->Wed Oct 19 16:31:53 2022 type=SYSCALL msg=audit(1666189913.117:243): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5567cbc49350 a2=0 a3=0 items=0 ppid=5559 pid=5560 auid=1005 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=17 comm="less" exe="/usr/bin/less" subj=staff_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1666189913.117:243): avc: denied { read } for pid=5560 comm="less" name=".lesshst" dev="dm-0" ino=33588461 scontext=staff_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0 ~~~ The root cause for this is journalctl executes in "journalctl_t" context due to the transition: ~~~ # sesearch -T -t journalctl_exec_t type_transition staff_t journalctl_exec_t:process journalctl_t; type_transition sysadm_t journalctl_exec_t:process journalctl_t; type_transition user_t journalctl_exec_t:process journalctl_t; ~~~ Then the journalctl process spawns "less" which runs in the journalctl context as well, the later trying to read then modify resource limits ("setrlimit" AVC is seen later on while in Permissive). Additionally "less" tries to read /root/.lesshst file which is labeled with admin_home_t, but there is no rule for this either. We need to allow this. Custom policy rules missing: ~~~ allow journalctl_t self:capability sys_resource; allow journalctl_t self:process setrlimit; allow journalctl_t admin_home_t:file {ioctl read write getattr lock append open}; ~~~ Version-Release number of selected component (if applicable): selinux-policy-3.14.3-95.el8_6.4.noarch Also seen on RHEL7. How reproducible: Always Steps to Reproduce: 1. Create a user mapped to staff_u in %wheel group # useradd -Z staff_u staff # echo redhat | passwd --stdin staff 2. Login as the user and sudo $ sudo -r sysadm_r -i # journalctl Actual results: AVCs above + "setrlimit" AVC when being Permissive: ~~~ time->Wed Oct 19 16:25:59 2022 type=PROCTITLE msg=audit(1666189559.514:349): proctitle="journalctl" type=SYSCALL msg=audit(1666189559.514:349): arch=c000003e syscall=160 success=no exit=-13 a0=7 a1=7ffc27e181b0 a2=0 a3=8 items=0 ppid=2127 pid=2159 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=8 comm="journalctl" exe="/usr/bin/journalctl" subj=staff_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1666189559.514:349): avc: denied { setrlimit } for pid=2159 comm="journalctl" scontext=staff_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tclass=process permissive=0 ~~~ Expected results: No AVC