| Summary: | w command executed as staff_u under sudo produce AVC | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Karel Srot <ksrot> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.1 | CC: | dwalsh, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-04-29 14:00:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
I forgot to mention that { sys_ptrace } appears even if allow_ptrace is on.
staff_t is not a domain that can run as root. If you want to run as root you need to transition to a confined root role, like sysadm_t or unconfined_t. Or you can develop new ones like webadm_t. echo 'testuser ALL = (root) ROLE=sysadm_r TYPE=sysadm_t ALL' >> /etc/sudoers Will cause your staff_r:staff_t to transition to sysadm_r:sysadm_t when it runs through sudo. |
Description of problem: [root@dhcp-30-102 ~]# rpm -q sudo selinux-policy sudo-1.7.4p5-5.el6.x86_64 selinux-policy-3.7.19-87.el6.noarch 1. useradd -Z staff_u -m testuser 2. passwd testuser 3. echo 'testuser ALL = (root) ALL' >> /etc/sudoers 4. ssh testuser@localhost 5. sudo w 6. exit AVCs below appears in audit.log. 'w' executed without sudo doesn't produce AVC. time->Fri Apr 29 09:05:09 2011 type=SYSCALL msg=audit(1304060709.931:869): arch=c000003e syscall=0 success=yes exit=198 a0=4 a1=3192e118a0 a2=3ff a3=fffffffc items=0 ppid=8009 pid=8016 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts9 ses=21 comm="w" exe="/usr/bin/w" subj=staff_u:staff_r:staff_t:s0 key=(null) type=AVC msg=audit(1304060709.931:869): avc: denied { sys_ptrace } for pid=8016 comm="w" capability=19 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=capability ---- time->Fri Apr 29 09:05:09 2011 type=SYSCALL msg=audit(1304060709.931:870): arch=c000003e syscall=0 success=yes exit=189 a0=4 a1=3192e118a0 a2=3ff a3=fffffffc items=0 ppid=8009 pid=8016 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts9 ses=21 comm="w" exe="/usr/bin/w" subj=staff_u:staff_r:staff_t:s0 key=(null) type=AVC msg=audit(1304060709.931:870): avc: denied { sys_ptrace } for pid=8016 comm="w" capability=19 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=capability ---- time->Fri Apr 29 09:05:09 2011 type=SYSCALL msg=audit(1304060709.932:871): arch=c000003e syscall=62 success=no exit=-13 a0=a12 a1=0 a2=7b2d50 a3=fffffffc items=0 ppid=8009 pid=8016 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts9 ses=21 comm="w" exe="/usr/bin/w" subj=staff_u:staff_r:staff_t:s0 key=(null) type=AVC msg=audit(1304060709.932:871): avc: denied { signull } for pid=8016 comm="w" scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=process ---- time->Fri Apr 29 09:05:09 2011 type=SYSCALL msg=audit(1304060709.933:872): arch=c000003e syscall=62 success=no exit=-1 a0=cfd a1=0 a2=7bde60 a3=fffffffb items=0 ppid=8009 pid=8016 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts9 ses=21 comm="w" exe="/usr/bin/w" subj=staff_u:staff_r:staff_t:s0 key=(null) type=AVC msg=audit(1304060709.933:872): avc: denied { kill } for pid=8016 comm="w" capability=5 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=capability ---- time->Fri Apr 29 09:05:09 2011 type=SYSCALL msg=audit(1304060709.933:873): arch=c000003e syscall=62 success=no exit=-13 a0=1f29 a1=0 a2=7c0ce0 a3=fffffffb items=0 ppid=8009 pid=8016 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts9 ses=21 comm="w" exe="/usr/bin/w" subj=staff_u:staff_r:staff_t:s0 key=(null) type=AVC msg=audit(1304060709.933:873): avc: denied { signull } for pid=8016 comm="w" scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process ---- time->Fri Apr 29 09:05:09 2011 type=SYSCALL msg=audit(1304060709.933:874): arch=c000003e syscall=62 success=no exit=-1 a0=cfd a1=0 a2=7bef50 a3=fffffffa items=0 ppid=8009 pid=8016 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts9 ses=21 comm="w" exe="/usr/bin/w" subj=staff_u:staff_r:staff_t:s0 key=(null) type=AVC msg=audit(1304060709.933:874): avc: denied { kill } for pid=8016 comm="w" capability=5 scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:staff_t:s0 tclass=capability