RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1688887 - Cannot execute "sudo su" when user is confined to staff_u or sysadm_u
Summary: Cannot execute "sudo su" when user is confined to staff_u or sysadm_u
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.6
Hardware: All
OS: Linux
high
urgent
Target Milestone: rc
: 7.8
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-14 16:32 UTC by Renaud Métrich
Modified: 2023-09-07 19:49 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1691351 (view as bug list)
Environment:
Last Closed: 2020-03-31 19:10:44 UTC
Target Upstream Version:
Embargoed:
john.shaw: needinfo-

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3988891 0 Troubleshoot None Cannot execute "sudo su" when user is confined to "staff_u" or "sysadm_u" 2019-03-14 17:08:54 UTC
Red Hat Product Errata RHBA-2020:1007 0 None None None 2020-03-31 19:11:04 UTC

Description Renaud Métrich 2019-03-14 16:32:48 UTC 
Description of problem:

When user is confined to "staff_u" or "sysadm_u", executing "sudo su" fails in error:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
$ sudo su
su: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed.
Aborted
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-229.el7_6.9.noarch


How reproducible:

Always


Steps to Reproduce:

1. Update system to latest 7.6

  # yum -y update

2. Create confined administrators with sudo capabilities

  # useradd -Z staff_u -G wheel staff
  # echo "staff" | passwd --stdin staff

  # useradd -Z sysadm_u -G wheel sysadm
  # echo "sysadm" | passwd --stdin sysadm
  # semanage boolean -m --on ssh_sysadm_login

3. Log as "staff" and try to "sudo su". Do the same with "sysadm"

  # ssh staff@localhost
  $ id -Z
  staff_u:staff_r:staff_t:s0-s0:c0.c1023
  $ sudo su
  su: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed.
  Aborted
  $ exit

  # ssh sysadm@localhost
  $ id -Z
  sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
  $ sudo su
  su: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed.
  Aborted
  $


Additional info:

The following module fixes the issue:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
module staff_sysadm_sudo_su 1.0;

require {
	type security_t;
	type staff_sudo_t;
	type sysadm_sudo_t;
	type lastlog_t;
	class passwd passwd;
	class netlink_selinux_socket { bind create };
	class file { open read write };
	class security compute_av;
}

allow staff_sudo_t lastlog_t:file { open read write };
allow staff_sudo_t security_t:security compute_av;
allow sysadm_sudo_t lastlog_t:file { open read write };
allow sysadm_sudo_t security_t:security compute_av;

allow staff_sudo_t self:netlink_selinux_socket { bind create };
allow staff_sudo_t self:passwd passwd;
allow sysadm_sudo_t self:netlink_selinux_socket { bind create };
allow sysadm_sudo_t self:passwd passwd;
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Comment 2 Renaud Métrich 2019-03-15 10:24:48 UTC 
Updated proposed module:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
module sudo-bz1688887 1.0;

require {
    type security_t;
    attribute sudodomain;
    type lastlog_t;
    class passwd passwd;
    class netlink_selinux_socket { bind create };
    class file { open read write };
    class security compute_av;
}

allow sudodomain lastlog_t:file { open read write };
allow sudodomain security_t:security compute_av;
allow sudodomain self:netlink_selinux_socket { bind create };
allow sudodomain self:passwd passwd;
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Comment 8 Zdenek Pytela 2019-04-05 15:56:24 UTC 
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.
Comment 9 Mason Loring Bliss 2019-07-05 19:09:49 UTC 
Please reconsider this bug. I've attached a new case that's affected by this.

DISA STIG requires that all users be confined. BZ#1727379 indicates problems
with accessing sysadm_u accounts via graphical login and/or ssh.

To add to this bug, staff_u users cannot elevate priviliges successfully with 
su or sudo. sudo comes deceptively close, but a user elevated with it cannot
access files with admin_home_t context, such as root rc files:

[testuser@dhcp-49-19 ~]$ sudo -i
-bash: /root/.bash_profile: Permission denied
-bash-4.2# ls -laZ .bash_profile
ls: cannot access .bash_profile: Permission denied
-bash-4.2# ls -laZ | head
ls: cannot access .bash_logout: Permission denied
ls: cannot access .bash_profile: Permission denied
ls: cannot access .bashrc: Permission denied
ls: cannot access .cshrc: Permission denied
ls: cannot access .tcshrc: Permission denied
ls: cannot access anaconda-ks.cfg: Permission denied
ls: cannot access .bash_history: Permission denied
ls: cannot access xorg-x11-server-Xdmx-1.20.1-5.3.el7_6.x86_64.rpm: Permission denied
ls: cannot access .lesshst: Permission denied
dr-xr-x---. root root system_u:object_r:admin_home_t:s0 .
dr-xr-xr-x. root root system_u:object_r:root_t:s0      ..
?---------  ?    ?                                     anaconda-ks.cfg
?---------  ?    ?                                     .bash_history
?---------  ?    ?                                     .bash_logout
?---------  ?    ?                                     .bash_profile
?---------  ?    ?                                     .bashrc
drwx------. root root unconfined_u:object_r:cache_home_t:s0 .cache
drwxr-xr-x. root root unconfined_u:object_r:config_home_t:s0 .config
?---------  ?    ?                                     .cshrc

We need this to work for our existing customers, who use Red Hat because of
our compliance advantages, and RHEL 8 won't be an option for them for quite
some time in some cases.
Comment 11 Zdenek Pytela 2019-08-13 15:19:51 UTC 
This issue was not selected to be included in Red Hat Enterprise Linux 7 because it is seen either as low or moderate impact to a small number of use-cases. The next minor release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.

For possible workarounds, please refer to the attached knowledgebase article.
Comment 12 Zdenek Pytela 2019-08-13 15:43:27 UTC 
Please disregard the previous comment and resolution, the requested permissions seem to have already been present in the current development package version as a result of other implemented changes.
Comment 24 errata-xmlrpc 2020-03-31 19:10:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1007
Comment 25 john.shaw 2023-03-20 22:09:06 UTC 
This is not resolved. I have the same issue running RHEL 7.9.
Comment 26 Pete G 2023-04-27 10:59:18 UTC 
(In reply to john.shaw from comment #25)
> This is not resolved. I have the same issue running RHEL 7.9.

Yes. We are still having this issue as well. RHEL 7.9
Note You need to log in before you can comment on or make changes to this bug.