Description of problem: The sysadm_u confined user cannot execute yum using sudo. Version-Release number of selected component (if applicable): selinux-policy-3.14.4-14.fc31.noarch selinux-policy-targeted-3.14.4-14.fc31.noarch How reproducible: always Steps to Reproduce: 1. useradd user1 -Z sysadm_u passwd --stdin user1 <<< "user1" echo "user1 ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/user1 chmod 440 /etc/sudoers.d/user1 2. setsebool ssh_sysadm_login on 3. ssh user1@::1 user1$ sudo yum check-update sudo: unable to execute /usr/bin/yum: Permission denied Actual results: sudo: unable to execute /usr/bin/yum: Permission denied Expected results: yum command output Additional info: ausearch -i -m avc,user_avc,selinux_err,user_selinux_err ---- type=PROCTITLE msg=audit(04/29/19 08:15:05.399:553) : proctitle=sudo yum update type=PATH msg=audit(04/29/19 08:15:05.399:553) : item=0 name=/usr/bin/yum inode=149458 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:rpm_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(04/29/19 08:15:05.399:553) : cwd=/home/user1 type=SYSCALL msg=audit(04/29/19 08:15:05.399:553) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x561f468d7e18 a1=0x561f468d0488 a2=0x561f468e0d80 a3=0x561f468c7e10 items=1 ppid=21398 pid=21400 auid=user1 uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=12 comm=sudo exe=/usr/bin/sudo subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(04/29/19 08:15:05.399:553) : op=security_compute_sid invalid_context=sysadm_u:system_r:sysadm_sudo_t:s0-s0:c0.c1023 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=process
commit 14bb58d7873f6df279799e88ed8a9e8766d69b8d (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Mon Apr 29 18:34:54 2019 +0200 Remove role transition in rpm_run() interface to allow sysadm_r jump to rpm_t type. BZ(1704251)
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle. Changing version to '31'.
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle. Changing version to 31.
FEDORA-2019-64732fd6a5 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-64732fd6a5
selinux-policy-3.14.4-36.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-64732fd6a5