Hide Forgot
Created attachment 1542910 [details] AVC and USER_AVC seen after disabling dontaudit rules Description of problem: When an administrator is confined to staff_u, sudoing to root takes 25 seconds to complete after updating sudo to RHEL 7.6's (sudo-1.8.23-3.el7.x86_64, where it always goes through PAM). Switching to permissive helps, but doesn't show any AVC/USER_AVC. Only disabling dontallow rules shows some AVCs but they do not seem related to D-Bus. (see attachment) Version-Release number of selected component (if applicable): sudo-1.8.23-3.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Update system to latest 7.6 # yum -y update 2. Create a confined administrator # useradd -G wheel admin # echo "admin" | passwd --stdin admin # semanage login -a -s staff_u -r s0-s0:c0.c1023 admin 3. Log as admin and try to sudo/sudo -i # ssh admin@localhost $ id -Z staff_u:staff_r:staff_t:s0-s0:c0.c1023 $ time sudo true ; echo $? [sudo] password for admin: <admin> Actual results: real 0m25.106s user 0m0.013s sys 0m0.058s Expected results: A few millisecs Additional infos: # grep pam_systemd /var/log/secure Mar 11 14:48:20 vm-sudo7 sudo: pam_systemd(sudo:session): Failed to create session: Connection timed out
25 seconds is a typical D-bus send message timeout.
# cat my-sudo.te module my-sudo 1.0; require { type systemd_logind_sessions_t; type staff_sudo_t; class fifo_file write; } allow staff_sudo_t systemd_logind_sessions_t:fifo_file write; Solves the issue. I understand that sudo tries to push something to systemd-logind (session leader information???), otherwise the AVC makes all processes (systemd, dbus, logind, sudo) just wait on the D-Bus socket for 25 seconds.
Confirmed. The scenario works without any timeouts after applying the policy module written by Renaud.
Same applies to sysadm_u, sorry, missed it: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- module my-sudo 1.0; require { type systemd_logind_sessions_t; type staff_sudo_t; type sysadm_sudo_t; class fifo_file write; } allow staff_sudo_t systemd_logind_sessions_t:fifo_file write; allow sysadm_sudo_t systemd_logind_sessions_t:fifo_file write; -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Renaud, I allowed this action for all these domains: seinfo -xasudodomain Type Attributes: 1 attribute sudodomain; auditadm_sudo_t dbadm_sudo_t secadm_sudo_t staff_sudo_t sysadm_sudo_t Thanks, Lukas.
Thanks, KCS updated accordingly.
Above-mentioned TC results show failures because the TC covers 2 bugs which are not fixed yet.
This bug is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1679745
*** Bug 1679745 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2127