Bug 2143762

Summary:	SELinux is preventing /usr/bin/sudo from open access on the file /var/log/sudo.log.
Product:	Red Hat Enterprise Linux 8	Reporter:	ShermB <sbb1>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	8.7	CC:	lvrabec, mmalik, nknazeko, wdh
Target Milestone:	rc	Keywords:	AutoVerified, Triaged
Target Release:	8.8	Flags:	pm-rhel: mirror+
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.14.3-114.el8	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:
Clones:	2160388 (view as bug list)		Environment:
Last Closed:	2023-05-16 09:04:17 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	2160388

Description ShermB 2022-11-17 18:32:47 UTC

User-Agent:       Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Build Identifier: 

After creating a user, adding the user to wheel, and mapping the group (or user) to sysadm_u, sudo shows an error. I do not expect to see the error message.



Reproducible: Always

Steps to Reproduce:
1. CREATE USER
# useradd -Z sysadm_u user1
# passwd user1
# usermod -aG wheel user1


2. MAP group wheel to sysadm_u
# setsebool -P ssh_sysadm_login on
# semanage login -a -s sysadm_u %wheel


3. SSH LOGIN
ssh user1@mycomputer
$ id
uid=1002(user1) gid=1002(user1) groups=1002(user1),10(wheel) context=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023


4. TRY SUDO
$ sudo -i 
[sudo] password for user1:
sudo: unable to open log file: /var/log/sudo.log: Permission denied
#

Actual Results:  
sudo appears to work, but I see the following error:
 ==> sudo: unable to open log file: /var/log/sudo.log: Permission denied


Expected Results:  
sudo should work without the following error:
 ==> sudo: unable to open log file: /var/log/sudo.log: Permission denied

1. GENERAL INFO
RHEL 8.7
FIPS enabled
SELinux enforced


2. USER1
$ id -Z
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023

$ ls -dZ /home/user1
sysadm_u:object_r:user_home_dir_t:s0 /home/user1/

$ groups 
user1 wheel


3. SSH SYSADM LOGIN IS ENABLED
# getsebool -a | grep ssh_sysadm_login
ssh_sysadm_login --> on


4. SE USER INFO
# semanage user -l | egrep 'SELinux|sysadm_u'
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r


5. SE LOGIN INFO
# semanage login -l | egrep 'Login|%wheel'
Login Name           SELinux User         MLS/MCS Range        Service
%wheel               sysadm_u             s0-s0:c0.c1023       *


6. SELinux is preventing /usr/bin/sudo from open access on the file /var/log/sudo.log.
Source Context                sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:var_log_t:s0
Target Objects                /var/log/sudo.log [ file ]
Source                        sudo
Source Path                   /usr/bin/sudo
Port                          <Unknown>
Host                          mycomputer
Source RPM Packages           sudo-1.8.29-8.el8.x86_64
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-3.14.3-108.el8.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-108.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     mycomputer
Platform                      Linux mycomputer 4.18.0-425.3.1.el8.x86_64 #1
                              SMP Fri Sep 30 11:45:06 EDT 2022 x86_64 x86_64
Alert Count                   7
First Seen                    2022-11-16 16:37:33 EST
Last Seen                     2022-11-16 19:11:53 EST
Local ID                      d431e909-3d1a-4802-bc57-840c565e5559

Comment 1 ShermB 2022-11-17 19:17:06 UTC

NOTE: 
I see the error regardless of how wheel is configured in /etc/sudoers:

a.
%wheel  ALL=(ALL)       ALL

b.
%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL

Comment 2 Milos Malik 2022-11-24 17:33:21 UTC

----
type=PROCTITLE msg=audit(11/24/2022 12:28:59.337:678) : proctitle=sudo -i 
type=PATH msg=audit(11/24/2022 12:28:59.337:678) : item=1 name=/var/log/sudo.log inode=4581054 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_log_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(11/24/2022 12:28:59.337:678) : item=0 name=/var/log/ inode=4220598 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/24/2022 12:28:59.337:678) : cwd=/home/user1 
type=SYSCALL msg=audit(11/24/2022 12:28:59.337:678) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55e5e1510840 a2=O_WRONLY|O_CREAT|O_APPEND a3=0x1b6 items=2 ppid=20776 pid=20806 auid=user1 uid=root gid=user1 euid=root suid=root fsuid=root egid=root sgid=user1 fsgid=root tty=pts1 ses=8 comm=sudo exe=/usr/bin/sudo subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/24/2022 12:28:59.337:678) : avc:  denied  { open } for  pid=20806 comm=sudo path=/var/log/sudo.log dev="vda1" ino=4581054 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file permissive=0 
----

The /var/log/sudo.log file is not created by default, but the following option helps to reproduce the issue:

# grep sudo.log /etc/sudoers
Defaults logfile=/var/log/sudo.log
#

# rpm -qa selinux\* sudo\* | sort
selinux-policy-3.14.3-110.el8.noarch
selinux-policy-devel-3.14.3-110.el8.noarch
selinux-policy-targeted-3.14.3-110.el8.noarch
sudo-1.8.29-8.el8.x86_64
#

Comment 3 Milos Malik 2022-11-24 17:35:56 UTC

The following SELinux denial appears in permissive mode:
----
type=PROCTITLE msg=audit(11/24/2022 12:34:12.982:688) : proctitle=sudo -i 
type=PATH msg=audit(11/24/2022 12:34:12.982:688) : item=1 name=/var/log/sudo.log inode=4581054 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_log_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(11/24/2022 12:34:12.982:688) : item=0 name=/var/log/ inode=4220598 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/24/2022 12:34:12.982:688) : cwd=/home/user1 
type=SYSCALL msg=audit(11/24/2022 12:34:12.982:688) : arch=x86_64 syscall=openat success=yes exit=6 a0=AT_FDCWD a1=0x55581b0a2840 a2=O_WRONLY|O_CREAT|O_APPEND a3=0x1b6 items=2 ppid=20776 pid=20860 auid=user1 uid=root gid=user1 euid=root suid=root fsuid=root egid=root sgid=user1 fsgid=root tty=pts1 ses=8 comm=sudo exe=/usr/bin/sudo subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/24/2022 12:34:12.982:688) : avc:  denied  { open } for  pid=20860 comm=sudo path=/var/log/sudo.log dev="vda1" ino=4581054 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file permissive=1 
----

The following error message does NOT appear in permissive mode:

sudo: unable to open log file: /var/log/sudo.log: Permission denied

Comment 4 Milos Malik 2022-11-24 17:44:04 UTC

# matchpathcon /var/log/sudo.log
/var/log/sudo.log	system_u:object_r:var_log_t:s0
# seinfo -t | grep sudo_log
   sudo_log_t
# semanage fcontext -l | grep sudo_log
/var/log/sudo-io(/.*)?                             all files          system_u:object_r:sudo_log_t:s0 
# man sudoers | col -b | grep -C 2 sudo.log
     Defaults:FULLTIMERS     !lecture
     Defaults:millert	     !authenticate
     Defaults@SERVERS	     log_year, logfile=/var/log/sudo.log
     Defaults!PAGERS	     noexec

#

Comment 7 Milos Malik 2023-01-09 14:54:20 UTC

The /var/log/sudo.log file does not exist by default. The default configuration of sudo is to log into syslog.

When the reproducer is executed in enforcing mode, the following SELinux denial appears:
----
type=PROCTITLE msg=audit(01/09/2023 09:48:12.182:4260) : proctitle=sudo -i 
type=PATH msg=audit(01/09/2023 09:48:12.182:4260) : item=0 name=/var/log/ inode=4215926 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/09/2023 09:48:12.182:4260) : cwd=/home/sysadm-user 
type=SYSCALL msg=audit(01/09/2023 09:48:12.182:4260) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55a2e225af30 a2=O_WRONLY|O_CREAT|O_APPEND a3=0x1b6 items=1 ppid=6114 pid=6143 auid=sysadm-user uid=root gid=sysadm-user euid=root suid=root fsuid=root egid=root sgid=sysadm-user fsgid=root tty=pts1 ses=8 comm=sudo exe=/usr/bin/sudo subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/09/2023 09:48:12.182:4260) : avc:  denied  { create } for  pid=6143 comm=sudo name=sudo.log scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:var_log_t:s0 tclass=file permissive=0 
----

Here are SELinux denials which appeared in permissive mode:
----
type=PROCTITLE msg=audit(01/09/2023 09:49:17.347:4308) : proctitle=sudo -i 
type=PATH msg=audit(01/09/2023 09:49:17.347:4308) : item=1 name=/var/log/sudo.log inode=4750837 dev=fd:01 mode=file,600 ouid=root ogid=root rdev=00:00 obj=sysadm_u:object_r:var_log_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(01/09/2023 09:49:17.347:4308) : item=0 name=/var/log/ inode=4215926 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/09/2023 09:49:17.347:4308) : cwd=/home/sysadm-user 
type=SYSCALL msg=audit(01/09/2023 09:49:17.347:4308) : arch=x86_64 syscall=openat success=yes exit=4 a0=AT_FDCWD a1=0x55fabf8eef30 a2=O_WRONLY|O_CREAT|O_APPEND a3=0x1b6 items=2 ppid=6203 pid=6233 auid=sysadm-user uid=root gid=sysadm-user euid=root suid=root fsuid=root egid=root sgid=sysadm-user fsgid=root tty=pts1 ses=10 comm=sudo exe=/usr/bin/sudo subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/09/2023 09:49:17.347:4308) : avc:  denied  { open } for  pid=6233 comm=sudo path=/var/log/sudo.log dev="vda1" ino=4750837 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:var_log_t:s0 tclass=file permissive=1 
type=AVC msg=audit(01/09/2023 09:49:17.347:4308) : avc:  denied  { create } for  pid=6233 comm=sudo name=sudo.log scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:var_log_t:s0 tclass=file permissive=1 
----

# ls -ilZ /var/log/sudo.log 
4750837 -rw-------. 1 root root sysadm_u:object_r:var_log_t:s0 102 Jan  9 09:49 /var/log/sudo.log
#

SELinux policy already defines the sudo_log_t type. Unfortunately, it is not a default type for the /var/log/sudo.log file.

Comment 10 Zdenek Pytela 2023-01-12 10:24:02 UTC

To backport:
commit 2ce62be20d635fc9ac5c878a650bd817e0be4fa0 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Wed Jan 4 09:17:46 2023 +0100

    Allow sudodomain use sudo.log as a logfile

Comment 20 errata-xmlrpc 2023-05-16 09:04:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965