Bug 2188565
| Summary: | SELinux prevents certain confined users from starting the restorecond_user service | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Nikola Knazekova <nknazeko> |
| Status: | NEW --- | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.2 | CC: | lvrabec, mmalik, zpytela |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Triggered by a staff_u user in permissive mode:
----
type=PROCTITLE msg=audit(04/21/2023 10:49:01.430:1193) : proctitle=systemctl --user status restorecond_user.service
type=PATH msg=audit(04/21/2023 10:49:01.430:1193) : item=0 name=/var/log/journal/2b3cc966022746d69eff961690e0e215/user-1000 inode=632670 dev=fd:02 mode=file,640 ouid=root ogid=systemd-journal rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(04/21/2023 10:49:01.430:1193) : cwd=/home/staff-user
type=SYSCALL msg=audit(04/21/2023 10:49:01.430:1193) : arch=x86_64 syscall=openat success=yes exit=6 a0=AT_FDCWD a1=0x56096bb9b210 a2=O_RDONLY|O_NONBLOCK|O_CLOEXEC a3=0x0 items=1 ppid=28643 pid=28698 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=tty2 ses=15 comm=systemctl exe=/usr/bin/systemctl subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(04/21/2023 10:49:01.430:1193) : avc: denied { open } for pid=28698 comm=systemctl path=/var/log/journal/2b3cc966022746d69eff961690e0e215/user-1000 dev="vda2" ino=632670 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(04/21/2023 10:49:01.430:1193) : avc: denied { read } for pid=28698 comm=systemctl name=user-1000 dev="vda2" ino=632670 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(04/21/2023 10:49:01.430:1194) : proctitle=systemctl --user status restorecond_user.service
type=MMAP msg=audit(04/21/2023 10:49:01.430:1194) : fd=6 flags=MAP_SHARED
type=SYSCALL msg=audit(04/21/2023 10:49:01.430:1194) : arch=x86_64 syscall=mmap success=yes exit=140430488371200 a0=0x0 a1=0x3e9000 a2=PROT_READ a3=MAP_SHARED items=0 ppid=28643 pid=28698 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=tty2 ses=15 comm=systemctl exe=/usr/bin/systemctl subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(04/21/2023 10:49:01.430:1194) : avc: denied { map } for pid=28698 comm=systemctl path=/var/log/journal/2b3cc966022746d69eff961690e0e215/user-1000 dev="vda2" ino=632670 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(04/21/2023 10:49:08.618:1201) : proctitle=/usr/sbin/restorecond -u
type=PATH msg=audit(04/21/2023 10:49:08.618:1201) : item=0 name=/etc/selinux/restorecond_user.conf inode=17561326 dev=fd:02 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:selinux_config_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(04/21/2023 10:49:08.618:1201) : cwd=/home/staff-user
type=SYSCALL msg=audit(04/21/2023 10:49:08.618:1201) : arch=x86_64 syscall=inotify_add_watch success=yes exit=5 a0=0x3 a1=0x555a701ed2e0 a2=0x42 a3=0x0 items=1 ppid=28630 pid=28716 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=16 comm=restorecond exe=/usr/sbin/restorecond subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(04/21/2023 10:49:08.618:1201) : avc: denied { watch } for pid=28716 comm=restorecond path=/etc/selinux/restorecond_user.conf dev="vda2" ino=17561326 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
----
Triggered by a user_u user in permissive mode:
----
type=PROCTITLE msg=audit(04/21/2023 10:51:29.598:1253) : proctitle=/usr/sbin/restorecond -u
type=PATH msg=audit(04/21/2023 10:51:29.598:1253) : item=0 name=/etc/selinux/restorecond_user.conf inode=17561326 dev=fd:02 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:selinux_config_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(04/21/2023 10:51:29.598:1253) : cwd=/home/user-user
type=SYSCALL msg=audit(04/21/2023 10:51:29.598:1253) : arch=x86_64 syscall=inotify_add_watch success=yes exit=5 a0=0x3 a1=0x5622633a22e0 a2=0x42 a3=0x0 items=1 ppid=30045 pid=30128 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=18 comm=restorecond exe=/usr/sbin/restorecond subj=user_u:user_r:user_t:s0 key=(null)
type=AVC msg=audit(04/21/2023 10:51:29.598:1253) : avc: denied { watch } for pid=30128 comm=restorecond path=/etc/selinux/restorecond_user.conf dev="vda2" ino=17561326 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(04/21/2023 10:51:30.711:1254) : proctitle=systemctl --user status restorecond_user.service
type=PATH msg=audit(04/21/2023 10:51:30.711:1254) : item=0 name=/var/log/journal/2b3cc966022746d69eff961690e0e215/user-1003.journal inode=642216 dev=fd:02 mode=file,640 ouid=root ogid=systemd-journal rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(04/21/2023 10:51:30.711:1254) : cwd=/home/user-user
type=SYSCALL msg=audit(04/21/2023 10:51:30.711:1254) : arch=x86_64 syscall=openat success=yes exit=6 a0=AT_FDCWD a1=0x55de346d84c0 a2=O_RDONLY|O_NONBLOCK|O_CLOEXEC a3=0x0 items=1 ppid=30058 pid=30133 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=tty3 ses=17 comm=systemctl exe=/usr/bin/systemctl subj=user_u:user_r:user_t:s0 key=(null)
type=AVC msg=audit(04/21/2023 10:51:30.711:1254) : avc: denied { open } for pid=30133 comm=systemctl path=/var/log/journal/2b3cc966022746d69eff961690e0e215/user-1003.journal dev="vda2" ino=642216 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(04/21/2023 10:51:30.711:1254) : avc: denied { read } for pid=30133 comm=systemctl name=user-1003.journal dev="vda2" ino=642216 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(04/21/2023 10:51:30.712:1255) : proctitle=systemctl --user status restorecond_user.service
type=MMAP msg=audit(04/21/2023 10:51:30.712:1255) : fd=6 flags=MAP_SHARED
type=SYSCALL msg=audit(04/21/2023 10:51:30.712:1255) : arch=x86_64 syscall=mmap success=yes exit=140177477468160 a0=0x0 a1=0x800000 a2=PROT_READ a3=MAP_SHARED items=0 ppid=30058 pid=30133 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=tty3 ses=17 comm=systemctl exe=/usr/bin/systemctl subj=user_u:user_r:user_t:s0 key=(null)
type=AVC msg=audit(04/21/2023 10:51:30.712:1255) : avc: denied { map } for pid=30133 comm=systemctl path=/var/log/journal/2b3cc966022746d69eff961690e0e215/user-1003.journal dev="vda2" ino=642216 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
----
|
Description of problem: # grep ConditionPathExists /usr/lib/systemd/user/restorecond_user.service ConditionPathExists=/etc/selinux/restorecond_user.conf # Version-Release number of selected component (if applicable): policycoreutils-3.5-1.el9.x86_64 policycoreutils-dbus-3.5-1.el9.noarch policycoreutils-devel-3.5-1.el9.x86_64 policycoreutils-gui-3.5-1.el9.noarch policycoreutils-newrole-3.5-1.el9.x86_64 policycoreutils-python-utils-3.5-1.el9.noarch policycoreutils-restorecond-3.5-1.el9.x86_64 policycoreutils-sandbox-3.5-1.el9.x86_64 selinux-policy-38.1.11-2.el9_2.noarch selinux-policy-devel-38.1.11-2.el9_2.noarch selinux-policy-doc-38.1.11-2.el9_2.noarch selinux-policy-mls-38.1.11-2.el9_2.noarch selinux-policy-targeted-38.1.11-2.el9_2.noarch How reproducible: * always Steps to Reproduce: 1. get a RHEL-9.2 machine (targeted policy is active) 2. create a new user that is confined by SELinux (staff_u, user_u) # useradd -Z ... ... 3. set password for the new user 4. log in as the new user 5. start the restorecond_user service $ systemctl --user start restorecond_user.service 6. search for SELinux denials Actual results: ---- type=PROCTITLE msg=audit(04/21/2023 09:46:01.146:401) : proctitle=/usr/sbin/restorecond -u type=PATH msg=audit(04/21/2023 09:46:01.146:401) : item=0 name=/etc/selinux/restorecond_user.conf inode=17561326 dev=fd:02 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:selinux_config_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(04/21/2023 09:46:01.146:401) : cwd=/home/staff-user type=SYSCALL msg=audit(04/21/2023 09:46:01.146:401) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x561514d3a2e0 a2=0x42 a3=0x0 items=1 ppid=4599 pid=4717 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=3 comm=restorecond exe=/usr/sbin/restorecond subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(04/21/2023 09:46:01.146:401) : avc: denied { watch } for pid=4717 comm=restorecond path=/etc/selinux/restorecond_user.conf dev="vda2" ino=17561326 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(04/21/2023 09:55:38.472:584) : proctitle=/usr/sbin/restorecond -u type=PATH msg=audit(04/21/2023 09:55:38.472:584) : item=0 name=/etc/selinux/restorecond_user.conf inode=17561326 dev=fd:02 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:selinux_config_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(04/21/2023 09:55:38.472:584) : cwd=/home/user-user type=SYSCALL msg=audit(04/21/2023 09:55:38.472:584) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x5633587ec2e0 a2=0x42 a3=0x0 items=1 ppid=8974 pid=9096 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=8 comm=restorecond exe=/usr/sbin/restorecond subj=user_u:user_r:user_t:s0 key=(null) type=AVC msg=audit(04/21/2023 09:55:38.472:584) : avc: denied { watch } for pid=9096 comm=restorecond path=/etc/selinux/restorecond_user.conf dev="vda2" ino=17561326 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=0 ---- Expected results: * no SELinux denials * the restorecond_user service runs in enforcing mode