Bug 694031
| Summary: | enforcing MLS: userdel -r USERNAME causes AVCs | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Milos Malik <mmalik> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.1 | CC: | dwalsh |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-110.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-06 10:07:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 743047 | ||
Since RHEL 6.1 External Beta has begun, and this bug remains unresolved, it has been rejected as it is not proposed as exception or blocker. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. The output of audit2allow: #============= useradd_t ============== #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow useradd_t auditd_t:dir search; #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow useradd_t kernel_t:dir search; Miroslav you need to add mls_process_read_to_clearance(useradd_t) Fixed in selinux-policy-3.7.19-98.el6 Were you sitting in the audit directory when you ran this test? No, I was sitting in /root directory, but I'm able to reproduce it in /tmp as well. [root@rhel62 ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: mls [root@rhel62 ~]# id -Z root:sysadm_r:sysadm_t:s0-s15:c0.c1023 [root@rhel62 ~]# cd /tmp [root@rhel62 tmp]# useradd pokus [root@rhel62 tmp]# userdel -rf pokus [root@rhel62 tmp]# ausearch -m avc -m user_avc -ts recent -i | audit2allow #============= useradd_t ============== #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow useradd_t audisp_t:dir search; #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow useradd_t auditd_t:dir search; #!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work. #Contraint rule: allow useradd_t kernel_t:dir search; [root@rhel62 tmp]# Miroslav add domain_dontaudit_read_all_domains_state(useradd_t) userdel is looking at all processes to see if a process with the user id it is deleting is running. Not sure what constraint it is failing on here since the userdel program is running with the full range. Milos can you run a process as the user that you are deleting at systemhigh useradd testuser login as testuser newrole -l SystemHigh As sysadm_t in another window execute userdel testuser and make sure userdel works properly, IE the same way in permissive mode as enforcing. Fixed in selinux-policy-3.7.19-110.el6 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html |
Description of problem: Version-Release number of selected component (if applicable): selinux-policy-targeted-3.7.19-81.el6.noarch selinux-policy-doc-3.7.19-81.el6.noarch selinux-policy-minimum-3.7.19-81.el6.noarch selinux-policy-mls-3.7.19-81.el6.noarch selinux-policy-3.7.19-81.el6.noarch How reproducible: always Steps to Reproduce: (RHEL-6 machine with active MLS policy, root is logged in via console) # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t:s0-s15:c0.c1023 # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: mls # useradd -Z staff_u sshstaff # userdel -r sshstaff # Actual results: ---- type=SYSCALL msg=audit(04/06/2011 05:29:40.645:12216) : arch=i386 syscall=stat64 success=no exit=-13(Permission denied) a0=bfd67b20 a1=bfd67a58 a2=4bfff4 a3=8cbd5d0 items=0 ppid=3010 pid=3183 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=16 comm=userdel exe=/usr/sbin/userdel subj=root:sysadm_r:useradd_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(04/06/2011 05:29:40.645:12216) : avc: denied { search } for pid=3183 comm=userdel name=2686 dev=proc ino=25855 scontext=root:sysadm_r:useradd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:auditd_t:s15:c0.c1023 tclass=dir ---- following AVC appeared many times ---- type=SYSCALL msg=audit(04/06/2011 05:29:40.658:12217) : arch=i386 syscall=stat64 success=no exit=-13(Permission denied) a0=bfd67b20 a1=bfd67a58 a2=4bfff4 a3=8cbd5d0 items=0 ppid=3010 pid=3183 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=16 comm=userdel exe=/usr/sbin/userdel subj=root:sysadm_r:useradd_t:s0-s15:c0.c1023 key=(null) type=AVC msg=audit(04/06/2011 05:29:40.658:12217) : avc: denied { search } for pid=3183 comm=userdel name=3068 dev=proc ino=34495 scontext=root:sysadm_r:useradd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir ---- Expected results: no AVCs