Bug 2164047

Summary: new selinux-policy causes the /var/log/sudo.log to be created in different than expected fcontext
Product: Red Hat Enterprise Linux 8 Reporter: Dalibor Pospíšil <dapospis>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.8CC: lvrabec, mmalik, nknazeko
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: 8.8Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-115.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 09:04:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dalibor Pospíšil 2023-01-24 15:15:09 UTC 
Description of problem:
There's a fcontext for /var/log/sudo.log added in the later policies while it seems there's a file transition rule missing for that path.


Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-114.el8.noarch

How reproducible:
100%

Steps to Reproduce:
1. echo 'Defaults logfile=/var/log/sudo.log' >> /etc/sudoers
2. echo 'bz1330001 ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
3. useradd bz1330001
4. su - bz1330001 -c 'unbuffer sudo true'
5. matchpathcon -V /var/log/sudo.log; echo $?

Actual results:
/var/log/sudo.log has context unconfined_u:object_r:var_log_t:s0, should be system_u:object_r:sudo_log_t:s0
1

Expected results:
0

Additional info:
does not happen with selinux-policy-38.1.4-1.el9.noarch nor selinux-policy-3.14.3-112.el8.noarch
Comment 1 Zdenek Pytela 2023-01-24 15:39:13 UTC 
Seems transition is not needed for sudodomain, but unconfined_t/staff_t/sysadm_t:

----
type=PROCTITLE msg=audit(01/24/23 10:35:33.520:265) : proctitle=sudo true
type=PATH msg=audit(01/24/23 10:35:33.520:265) : item=1 name=/var/log/sudo.log inode=67429761 dev=fd:00 mode=file,600 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_log_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(01/24/23 10:35:33.520:265) : item=0 name=/var/log/ inode=67329156 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(01/24/23 10:35:33.520:265) : cwd=/home/bz1330001
type=SYSCALL msg=audit(01/24/23 10:35:33.520:265) : arch=x86_64 syscall=openat success=yes exit=4 a0=AT_FDCWD a1=0x55eefd5a4260 a2=O_WRONLY|O_CREAT|O_APPEND a3=0x1b6 items=2 ppid=13491 pid=13520 auid=bz1330001 uid=root gid=bz1330001 euid=root suid=root fsuid=root egid=root sgid=bz1330001 fsgid=root tty=pts1 ses=7 comm=sudo exe=/usr/bin/sudo subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=sudolog
Comment 3 Zdenek Pytela 2023-01-26 11:03:50 UTC 
In the end it turned out only a transition for the unconfined user needs to be added.
Tested with various SELinux users and commands where there is a transition on sudo run.
Comment 18 errata-xmlrpc 2023-05-16 09:04:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965