Bug 2278988

Summary: /var/log/sudo-io is created with var_log_t instead of sudo_log_t
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 42CC: alakatos, dwalsh, kzak, lvrabec, mattdm, mmalik, omosnacek, pkoncity, rsroka, vmojzis, zfridric, zpytela
Target Milestone: ---Flags: zpytela: mirror+
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-42.4-1.fc42 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-08-07 00:53:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2024-05-03 20:41:34 UTC 
On initial creation by sudo, /var/logsudo-io is created with var_log_t instead of the expected sudo_log_t.

Reproducible: Always

Steps to Reproduce:
1. Enable IO logging with:
Defaults log_output
Defaults log_input
2. Run a command with sudo
3. ls -lZRa /var/log/sudo*
Actual Results:  
-rw-------. 1 root root unconfined_u:object_r:var_log_t:s0   98402 May  3 14:35 /var/log/sudo_debug
-rw-------. 1 root root unconfined_u:object_r:var_log_t:s0 1468819 May  3 14:35 /var/log/sudoers_debug

/var/log/sudo-io:
total 16
drwx------.  3 root root unconfined_u:object_r:var_log_t:s0 4096 May  3 14:35 ./
drwxr-xr-x. 12 root root system_u:object_r:var_log_t:s0     4096 May  3 14:35 ../
drwx------.  3 root root unconfined_u:object_r:var_log_t:s0 4096 May  3 14:35 00/
-rw-------.  1 root root unconfined_u:object_r:var_log_t:s0    7 May  3 14:35 seq

/var/log/sudo-io/00:
total 12
drwx------. 3 root root unconfined_u:object_r:var_log_t:s0 4096 May  3 14:35 ./
drwx------. 3 root root unconfined_u:object_r:var_log_t:s0 4096 May  3 14:35 ../
drwx------. 3 root root unconfined_u:object_r:var_log_t:s0 4096 May  3 14:35 00/

/var/log/sudo-io/00/00:
total 12
drwx------. 3 root root unconfined_u:object_r:var_log_t:s0 4096 May  3 14:35 ./
drwx------. 3 root root unconfined_u:object_r:var_log_t:s0 4096 May  3 14:35 ../
drwx------. 2 root root unconfined_u:object_r:var_log_t:s0 4096 May  3 14:35 01/

/var/log/sudo-io/00/00/01:
total 44
drwx------. 2 root root unconfined_u:object_r:var_log_t:s0 4096 May  3 14:35 ./
drwx------. 3 root root unconfined_u:object_r:var_log_t:s0 4096 May  3 14:35 ../
-rw-------. 1 root root unconfined_u:object_r:var_log_t:s0   61 May  3 14:35 log
-rw-------. 1 root root unconfined_u:object_r:var_log_t:s0 6677 May  3 14:35 log.json
-rw-------. 1 root root unconfined_u:object_r:var_log_t:s0   25 May  3 14:35 stderr
-rw-------. 1 root root unconfined_u:object_r:var_log_t:s0   25 May  3 14:35 stdin
-rw-------. 1 root root unconfined_u:object_r:var_log_t:s0   25 May  3 14:35 stdout
-r--------. 1 root root unconfined_u:object_r:var_log_t:s0   42 May  3 14:35 timing
-rw-------. 1 root root unconfined_u:object_r:var_log_t:s0   25 May  3 14:35 ttyin
-rw-------. 1 root root unconfined_u:object_r:var_log_t:s0   30 May  3 14:35 ttyout

Expected Results:  
Files created with sudo_log_t, per:

# restorecon -r -v /var/log/sudo*
Relabeled /var/log/sudo-io from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0
Relabeled /var/log/sudo-io/00 from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0
Relabeled /var/log/sudo-io/00/00 from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0
Relabeled /var/log/sudo-io/00/00/01 from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0
Relabeled /var/log/sudo-io/00/00/01/ttyin from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0
Relabeled /var/log/sudo-io/00/00/01/stdin from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0
Relabeled /var/log/sudo-io/00/00/01/stderr from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0
Relabeled /var/log/sudo-io/00/00/01/timing from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0
Relabeled /var/log/sudo-io/00/00/01/log from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0
Relabeled /var/log/sudo-io/00/00/01/stdout from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0
Relabeled /var/log/sudo-io/00/00/01/log.json from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0
Relabeled /var/log/sudo-io/00/00/01/ttyout from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0
Relabeled /var/log/sudo-io/seq from unconfined_u:object_r:var_log_t:s0 to unconfined_u:object_r:sudo_log_t:s0

Also, the debug logs are created with var_log_t, but restorecon doesn't change their type.  But unsure if they should really have sudo_log_t as well.
Comment 1 Aoife Moloney 2025-02-26 13:02:04 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 42 development cycle.
Changing version to 42.
Comment 2 Zdenek Pytela 2025-06-24 09:26:42 UTC 
See a similar ticket resolution:
https://github.com/fedora-selinux/selinux-policy/pull/1575
Comment 3 Fedora Update System 2025-08-05 07:55:49 UTC 
FEDORA-2025-d93e219f23 (selinux-policy-42.4-1.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2025-d93e219f23
Comment 4 Fedora Update System 2025-08-06 02:36:07 UTC 
FEDORA-2025-d93e219f23 has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-d93e219f23`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-d93e219f23

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2025-08-07 00:53:36 UTC 
FEDORA-2025-d93e219f23 (selinux-policy-42.4-1.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.