RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1146987 - /bin/su returns segmentation fault for sysadm_r in SELinux policy MLS
Summary: /bin/su returns segmentation fault for sysadm_r in SELinux policy MLS
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.0
Hardware: x86_64
OS: Linux
high
high
Target Milestone: beta
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1218420 1296594 1313485 1377248
TreeView+ depends on / blocked
 
Reported: 2014-09-26 13:57 UTC by Matus Marhefka
Modified: 2017-08-01 15:10 UTC (History)
12 users (show)

Fixed In Version: libselinux-2.5-3.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 15:10:10 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1861 0 normal SHIPPED_LIVE selinux-policy bug fix update 2017-08-01 17:50:24 UTC

Description Matus Marhefka 2014-09-26 13:57:51 UTC 
Description of problem:
After changing role to sysadm_r and switching user to root, /bin/su
command returns segmentation fault. This happens only in MLS SELinux
policy in enforcing mode (in permissive mode segmentation fault does
not occure).

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             mls
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     denied
Max kernel policy version:      28


Version-Release number of selected component (if applicable):
util-linux-2.23.2-16.el7.x86_64
util-linux-2.23.2-17.el7.x86_64


How reproducible:
100%


Steps to Reproduce:
# newrole -r sysadm_r
# /bin/su -
# /bin/su
su: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed.
Segmentation fault
# id -Z
staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023


Actual results:
Segmentation fault

Expected results:
No segmentation fault
Comment 5 Petr Lautrbach 2016-01-18 09:11:20 UTC 
Could you please provide AVCs in permissive mode? libselinux abort's itself as it's not able to create a netlink socket or similar problem with the libselinux initialization.
Comment 6 Miroslav Grepl 2016-01-29 13:46:44 UTC 
(In reply to Petr Lautrbach from comment #5)
> Could you please provide AVCs in permissive mode? libselinux abort's itself
> as it's not able to create a netlink socket or similar problem with the
> libselinux initialization.

Yes, it looks like a policy issue.
Comment 7 Petr Lautrbach 2016-01-29 13:51:26 UTC 
Probably two issues, one in policy, and the other one in libselinux/su which should abort instead of segfault.
Comment 14 Miroslav Vadkerti 2016-09-27 13:37:34 UTC 
I see these events in audit log when doing '/bin/su -':

----
time->Tue Sep 27 15:36:08 2016
type=USER_AVC msg=audit(1474983368.352:2307): pid=10103 uid=0 auid=1000 ses=24 subj=staff_u:sysadm_r:sysadm_su_t:s0-s15:c0.c1023 msg='avc:  can't open netlink socket: 13 (Permission denied)  exe="/usr/bin/su" sauid=0 hostname=? addr=? terminal=?'
----                                                                                                                                                                                                               time->Tue Sep 27 15:36:08 2016
type=SYSCALL msg=audit(1474983368.351:2306): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=80003 a2=7 a3=1 items=0 ppid=9996 pid=10103 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=24 comm="su" exe="/usr/bin/su" subj=staff_u:sysadm_r:sysadm_su_t:s0-s15:c0.c1023 key=(null)                                                                                                             type=AVC msg=audit(1474983368.351:2306): avc:  denied  { create } for  pid=10103 comm="su" scontext=staff_u:sysadm_r:sysadm_su_t:s0-s15:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_su_t:s0-s15:c0.c1023 tclass=netlink_selinux_socket
----
time->Tue Sep 27 15:36:08 2016
type=ANOM_ABEND msg=audit(1474983368.352:2308): auid=1000 uid=0 gid=0 ses=24 subj=staff_u:sysadm_r:sysadm_su_t:s0-s15:c0.c1023 pid=10103 comm="su" reason="memory violation" sig=6
Comment 21 Milos Malik 2017-05-02 08:11:55 UTC 
Following rule is needed in both targeted and MLS policies:

allow sysadm_su_t self:netlink_selinux_socket { bind create };

If the rule is not present, the scenario fails and triggers following SELinux denials:
----
type=PROCTITLE msg=audit(05/02/2017 03:49:40.696:313) : proctitle=su -c id 
type=SYSCALL msg=audit(05/02/2017 03:49:40.696:313) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=netlink a1=SOCK_RAW a2=cbt a3=0x1 items=0 ppid=1515 pid=1521 auid=unknown(1000) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts5 ses=4 comm=su exe=/usr/bin/su subj=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/02/2017 03:49:40.696:313) : avc:  denied  { create } for  pid=1521 comm=su scontext=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket 
----
type=PROCTITLE msg=audit(05/02/2017 03:55:37.090:374) : proctitle=su -c id 
type=SYSCALL msg=audit(05/02/2017 03:55:37.090:374) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7ffd8b77ed70 a2=0xc a3=0x1 items=0 ppid=1830 pid=1836 auid=unknown(1000) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts5 ses=5 comm=su exe=/usr/bin/su subj=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(05/02/2017 03:55:37.090:374) : avc:  denied  { bind } for  pid=1836 comm=su scontext=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket 
----

The automated TC passes after loading of following local policy module:
# cat mypolicy.cil 
( allow sysadm_su_t sysadm_su_t ( netlink_selinux_socket ( create bind )))
#

# rpm -qa selinux-policy\*
selinux-policy-3.13.1-144.el7.noarch
selinux-policy-targeted-3.13.1-144.el7.noarch
selinux-policy-mls-3.13.1-144.el7.noarch
#
Comment 24 errata-xmlrpc 2017-08-01 15:10:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861
Note You need to log in before you can comment on or make changes to this bug.