Bug 1687452 - sudo'ing from confined staff_u user takes 25 seconds (d-bus timeout) then succeeds
Summary: sudo'ing from confined staff_u user takes 25 seconds (d-bus timeout) then suc...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.6
Hardware: All
OS: Linux
urgent
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
: 1679745 (view as bug list)
Depends On:
Blocks: 1688224
TreeView+ depends on / blocked
 
Reported: 2019-03-11 14:01 UTC by Renaud Métrich
Modified: 2019-08-06 12:53 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1688224 (view as bug list)
Environment:
Last Closed: 2019-08-06 12:53:24 UTC
Target Upstream Version:


Attachments (Terms of Use)
AVC and USER_AVC seen after disabling dontaudit rules (7.47 KB, text/plain)
2019-03-11 14:01 UTC, Renaud Métrich
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3988771 0 Troubleshoot None RHEL7.6: sudo'ing from confined user "staff_u" or "sysadm_u" takes 25 seconds (d-bus timeout) then succeeds 2019-03-14 16:42:48 UTC
Red Hat Product Errata RHBA-2019:2127 0 None None None 2019-08-06 12:53:36 UTC

Description Renaud Métrich 2019-03-11 14:01:54 UTC
Created attachment 1542910 [details]
AVC and USER_AVC seen after disabling dontaudit rules

Description of problem:

When an administrator is confined to staff_u, sudoing to root takes 25 seconds to complete after updating sudo to RHEL 7.6's (sudo-1.8.23-3.el7.x86_64, where it always goes through PAM).

Switching to permissive helps, but doesn't show any AVC/USER_AVC.
Only disabling dontallow rules shows some AVCs but they do not seem related to D-Bus. (see attachment)


Version-Release number of selected component (if applicable):

sudo-1.8.23-3.el7.x86_64


How reproducible:

Always


Steps to Reproduce:
1. Update system to latest 7.6

  # yum -y update

2. Create a confined administrator

  # useradd -G wheel admin
  # echo "admin" | passwd --stdin admin
  # semanage login -a -s staff_u -r s0-s0:c0.c1023 admin

3. Log as admin and try to sudo/sudo -i

  # ssh admin@localhost
  $ id -Z
  staff_u:staff_r:staff_t:s0-s0:c0.c1023

  $ time sudo true ; echo $?
  [sudo] password for admin: <admin>

Actual results:

  real	0m25.106s
  user	0m0.013s
  sys	0m0.058s

Expected results:

  A few millisecs

Additional infos:

  # grep pam_systemd /var/log/secure
  Mar 11 14:48:20 vm-sudo7 sudo: pam_systemd(sudo:session): Failed to create session: Connection timed out

Comment 2 Milos Malik 2019-03-11 15:24:00 UTC
25 seconds is a typical D-bus send message timeout.

Comment 4 Renaud Métrich 2019-03-11 16:23:15 UTC
# cat my-sudo.te

module my-sudo 1.0;

require {
	type systemd_logind_sessions_t;
	type staff_sudo_t;
	class fifo_file write;
}

allow staff_sudo_t systemd_logind_sessions_t:fifo_file write;

Solves the issue.
I understand that sudo tries to push something to systemd-logind (session leader information???), otherwise the AVC makes all processes (systemd, dbus, logind, sudo) just wait on the D-Bus socket for 25 seconds.

Comment 5 Milos Malik 2019-03-11 16:40:49 UTC
Confirmed. The scenario works without any timeouts after applying the policy module written by Renaud.

Comment 12 Renaud Métrich 2019-03-14 15:45:41 UTC
Same applies to sysadm_u, sorry, missed it:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
module my-sudo 1.0;

require {
	type systemd_logind_sessions_t;
	type staff_sudo_t;
	type sysadm_sudo_t;
	class fifo_file write;
}

allow staff_sudo_t systemd_logind_sessions_t:fifo_file write;
allow sysadm_sudo_t systemd_logind_sessions_t:fifo_file write;
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Comment 13 Lukas Vrabec 2019-03-15 08:53:28 UTC
Renaud, 

I allowed this action for all these domains: 

seinfo -xasudodomain 

Type Attributes: 1
   attribute sudodomain;
	auditadm_sudo_t
	dbadm_sudo_t
	secadm_sudo_t
	staff_sudo_t
	sysadm_sudo_t

Thanks,
Lukas.

Comment 14 Renaud Métrich 2019-03-15 10:05:32 UTC
Thanks, KCS updated accordingly.

Comment 20 Milos Malik 2019-03-28 13:53:50 UTC
Above-mentioned TC results show failures because the TC covers 2 bugs which are not fixed yet.

Comment 22 Gunnar Guðvarðarson 2019-04-23 17:54:36 UTC
This bug is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1679745

Comment 23 Jan Synacek 2019-04-24 05:39:20 UTC
*** Bug 1679745 has been marked as a duplicate of this bug. ***

Comment 25 errata-xmlrpc 2019-08-06 12:53:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2127


Note You need to log in before you can comment on or make changes to this bug.