Bug 1325364 - Confined administrators cannot run /bin/systemd-tmpfiles
Summary: Confined administrators cannot run /bin/systemd-tmpfiles
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.2
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-08 14:38 UTC by Dustin C. Hatch
Modified: 2018-04-10 12:23 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-190.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 12:22:45 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0763 0 None None None 2018-04-10 12:23:31 UTC

Description Dustin C. Hatch 2016-04-08 14:38:00 UTC 
Description of problem:
SELinux-confined users cannot run /bin/systemd-tmpfiles, because no policy rule exists to allow sysadm_t to execute files labeled systemd_tmpfiles_exec_t:

[dhatch@c7-1ea498 ~]$ sudo -r sysadm_r systemd-tmpfiles --create
sesh: unable to execute /bin/systemd-tmpfiles: Permission denied

type=AVC msg=audit(1460124637.840:85): avc:  denied  { execute } for  pid=873 comm="sesh" name="systemd-tmpfiles" dev="dm-0" ino=25553816 scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file

Administrators should be allowed to run this command to apply any changes they may have made to configuration in /etc/tmpfiles.d. 

Version-Release number of selected component (if applicable):
selinux-policy-mls-3.13.1-60.el7_2.3.noarch
Comment 4 Lukas Vrabec 2016-07-12 15:06:26 UTC 
Fixed in Fedora, we need to back port this.
Comment 12 errata-xmlrpc 2018-04-10 12:22:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763
Note You need to log in before you can comment on or make changes to this bug.