Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Created attachment 1542910[details]
AVC and USER_AVC seen after disabling dontaudit rules
Description of problem:
When an administrator is confined to staff_u, sudoing to root takes 25 seconds to complete after updating sudo to RHEL 7.6's (sudo-1.8.23-3.el7.x86_64, where it always goes through PAM).
Switching to permissive helps, but doesn't show any AVC/USER_AVC.
Only disabling dontallow rules shows some AVCs but they do not seem related to D-Bus. (see attachment)
Version-Release number of selected component (if applicable):
sudo-1.8.23-3.el7.x86_64
How reproducible:
Always
Steps to Reproduce:
1. Update system to latest 7.6
# yum -y update
2. Create a confined administrator
# useradd -G wheel admin
# echo "admin" | passwd --stdin admin
# semanage login -a -s staff_u -r s0-s0:c0.c1023 admin
3. Log as admin and try to sudo/sudo -i
# ssh admin@localhost
$ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023
$ time sudo true ; echo $?
[sudo] password for admin: <admin>
Actual results:
real 0m25.106s
user 0m0.013s
sys 0m0.058s
Expected results:
A few millisecs
Additional infos:
# grep pam_systemd /var/log/secure
Mar 11 14:48:20 vm-sudo7 sudo: pam_systemd(sudo:session): Failed to create session: Connection timed out
# cat my-sudo.te
module my-sudo 1.0;
require {
type systemd_logind_sessions_t;
type staff_sudo_t;
class fifo_file write;
}
allow staff_sudo_t systemd_logind_sessions_t:fifo_file write;
Solves the issue.
I understand that sudo tries to push something to systemd-logind (session leader information???), otherwise the AVC makes all processes (systemd, dbus, logind, sudo) just wait on the D-Bus socket for 25 seconds.
Renaud,
I allowed this action for all these domains:
seinfo -xasudodomain
Type Attributes: 1
attribute sudodomain;
auditadm_sudo_t
dbadm_sudo_t
secadm_sudo_t
staff_sudo_t
sysadm_sudo_t
Thanks,
Lukas.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2019:2127
Created attachment 1542910 [details] AVC and USER_AVC seen after disabling dontaudit rules Description of problem: When an administrator is confined to staff_u, sudoing to root takes 25 seconds to complete after updating sudo to RHEL 7.6's (sudo-1.8.23-3.el7.x86_64, where it always goes through PAM). Switching to permissive helps, but doesn't show any AVC/USER_AVC. Only disabling dontallow rules shows some AVCs but they do not seem related to D-Bus. (see attachment) Version-Release number of selected component (if applicable): sudo-1.8.23-3.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Update system to latest 7.6 # yum -y update 2. Create a confined administrator # useradd -G wheel admin # echo "admin" | passwd --stdin admin # semanage login -a -s staff_u -r s0-s0:c0.c1023 admin 3. Log as admin and try to sudo/sudo -i # ssh admin@localhost $ id -Z staff_u:staff_r:staff_t:s0-s0:c0.c1023 $ time sudo true ; echo $? [sudo] password for admin: <admin> Actual results: real 0m25.106s user 0m0.013s sys 0m0.058s Expected results: A few millisecs Additional infos: # grep pam_systemd /var/log/secure Mar 11 14:48:20 vm-sudo7 sudo: pam_systemd(sudo:session): Failed to create session: Connection timed out