Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1718814

Summary: Confined users not working with Cockpit sessions
Product: Red Hat Enterprise Linux 8 Reporter: Lukas Vrabec <lvrabec>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact: Mirek Jahoda <mjahoda>
Priority: high    
Version: 8.1CC: lvrabec, mjahoda, mmalik, mpitt, plautrba, ssekidde, zpytela
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: 8.1   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 22:11:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1727382, 1778780    

Comment 2 Milos Malik 2019-06-12 08:54:01 UTC 
Is there a how-to document about setting up the cockpit environment?
Comment 3 Lukas Vrabec 2019-06-12 09:04:02 UTC 
Hi Milos, 

# dnf install cockpit cockpit-ws -y 

# systemctl start cockpit.socket

and in browser: https://systemhostname:9090
Comment 4 Milos Malik 2019-06-12 11:22:52 UTC 
The scenario reproduced on unfixed version of selinux-policy triggers following SELinux denials in enforcing mode:
----
type=PROCTITLE msg=audit(06/12/2019 07:17:51.730:383) : proctitle=/usr/bin/ssh-agent 
type=SYSCALL msg=audit(06/12/2019 07:17:51.730:383) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55701f2f9240 a1=0x55701f2f97f0 a2=0x55701f2f9420 a3=0x55701f2ef010 items=0 ppid=6390 pid=6394 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=7 comm=ssh-agent exe=/usr/bin/ssh-agent subj=staff_u:staff_r:staff_ssh_agent_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/12/2019 07:17:51.730:383) : avc:  denied  { write } for  pid=6394 comm=ssh-agent path=pipe:[39504] dev="pipefs" ino=39504 scontext=staff_u:staff_r:staff_ssh_agent_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fifo_file permissive=0 
type=AVC msg=audit(06/12/2019 07:17:51.730:383) : avc:  denied  { write } for  pid=6394 comm=ssh-agent path=pipe:[39503] dev="pipefs" ino=39503 scontext=staff_u:staff_r:staff_ssh_agent_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fifo_file permissive=0 
type=AVC msg=audit(06/12/2019 07:17:51.730:383) : avc:  denied  { read } for  pid=6394 comm=ssh-agent path=pipe:[39502] dev="pipefs" ino=39502 scontext=staff_u:staff_r:staff_ssh_agent_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fifo_file permissive=0 
----
type=USER_AVC msg=audit(06/12/2019 07:17:51.782:384) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=PROCTITLE msg=audit(06/12/2019 07:17:52.486:393) : proctitle=ssh-agent -a /run/user/1000/ssh-agent.RRFJ3Z 
type=SYSCALL msg=audit(06/12/2019 07:17:52.486:393) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7ffe327224c0 a2=0x6e a3=0x633c137c items=0 ppid=6408 pid=6410 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=7 comm=ssh-agent exe=/usr/bin/ssh-agent subj=staff_u:staff_r:staff_ssh_agent_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/12/2019 07:17:52.486:393) : avc:  denied  { write } for  pid=6410 comm=ssh-agent name=/ dev="tmpfs" ino=39728 scontext=staff_u:staff_r:staff_ssh_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 
----
Comment 5 Milos Malik 2019-06-12 11:33:21 UTC 
The scenario reproduced on unfixed version of selinux-policy triggers following SELinux denials in permissive mode:
----
type=PROCTITLE msg=audit(06/12/2019 07:27:51.128:418) : proctitle=/bin/bash -c exec cockpit-bridge 
type=SYSCALL msg=audit(06/12/2019 07:27:51.128:418) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x0 a1=TCGETS a2=0x7ffe1f2becf0 a3=0x0 items=0 ppid=6465 pid=6484 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=9 comm=bash exe=/usr/bin/bash subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/12/2019 07:27:51.128:418) : avc:  denied  { ioctl } for  pid=6484 comm=bash path=socket:[40959] dev="sockfs" ino=40959 ioctlcmd=TCGETS scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1 
----
type=PROCTITLE msg=audit(06/12/2019 07:27:51.129:419) : proctitle=/bin/bash -c exec cockpit-bridge 
type=SYSCALL msg=audit(06/12/2019 07:27:51.129:419) : arch=x86_64 syscall=getpeername success=yes exit=0 a0=0x0 a1=0x7ffe1f2beee0 a2=0x7ffe1f2beedc a3=0x8 items=0 ppid=6465 pid=6484 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=9 comm=bash exe=/usr/bin/bash subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/12/2019 07:27:51.129:419) : avc:  denied  { getattr } for  pid=6484 comm=bash scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1 
----
type=PROCTITLE msg=audit(06/12/2019 07:27:55.281:420) : proctitle=/usr/bin/pkexec --disable-internal-agent cockpit-bridge --privileged 
type=SYSCALL msg=audit(06/12/2019 07:27:55.281:420) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x7fac6ce81ae2 a1=0x7ffc5c9ee7c0 a2=0x7ffc5c9ee7c0 a3=0x55f98d6c9010 items=0 ppid=6484 pid=6530 auid=staff-user uid=staff-user gid=staff-user euid=root suid=root fsuid=root egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=9 comm=pkexec exe=/usr/bin/pkexec subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/12/2019 07:27:55.281:420) : avc:  denied  { dac_read_search } for  pid=6530 comm=pkexec capability=dac_read_search  scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(06/12/2019 07:27:55.899:423) : proctitle=/usr/bin/sudo -A cockpit-bridge --privileged 
type=SYSCALL msg=audit(06/12/2019 07:27:55.899:423) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x2 a1=TIOCGWINSZ a2=0x7ffeb3e09820 a3=0x5560635ae010 items=0 ppid=6484 pid=6551 auid=staff-user uid=staff-user gid=staff-user euid=root suid=root fsuid=root egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=9 comm=sudo exe=/usr/bin/sudo subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/12/2019 07:27:55.899:423) : avc:  denied  { ioctl } for  pid=6551 comm=sudo path=socket:[41421] dev="sockfs" ino=41421 ioctlcmd=TIOCGWINSZ scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 
----
type=USER_AVC msg=audit(06/12/2019 07:27:56.615:425) : pid=652 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=com.redhat.SubscriptionManager.EntitlementStatus member=check_status dest=com.redhat.SubscriptionManager spid=6484 tpid=6540 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tclass=dbus permissive=1  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(06/12/2019 07:27:56.739:426) : pid=652 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.92 spid=6540 tpid=6484 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=dbus permissive=1  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(06/12/2019 07:28:03.164:432) : pid=652 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=com.redhat.tuned.control member=is_running dest=com.redhat.tuned spid=6484 tpid=718 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tuned_t:s0 tclass=dbus permissive=1  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=PROCTITLE msg=audit(06/12/2019 07:29:17.599:434) : proctitle=/bin/bash -c exec cockpit-bridge 
type=SYSCALL msg=audit(06/12/2019 07:29:17.599:434) : arch=x86_64 syscall=shutdown success=yes exit=0 a0=0x3 a1=0x1 a2=0x55a5a1e26010 a3=0x0 items=0 ppid=6465 pid=6484 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=9 comm=cockpit-bridge exe=/usr/bin/cockpit-bridge subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/12/2019 07:29:17.599:434) : avc:  denied  { shutdown } for  pid=6484 comm=cockpit-bridge scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1 
----
type=PROCTITLE msg=audit(06/12/2019 07:29:17.619:436) : proctitle=/usr/libexec/cockpit-session localhost 
type=SYSCALL msg=audit(06/12/2019 07:29:17.619:436) : arch=x86_64 syscall=kill success=yes exit=0 a0=0x1946 a1=SIGTERM a2=0x0 a3=0x7f6de1acc020 items=0 ppid=6460 pid=6465 auid=staff-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=9 comm=cockpit-session exe=/usr/libexec/cockpit-session subj=system_u:system_r:cockpit_session_t:s0 key=(null) 
type=AVC msg=audit(06/12/2019 07:29:17.619:436) : avc:  denied  { signal } for  pid=6465 comm=cockpit-session scontext=system_u:system_r:cockpit_session_t:s0 tcontext=staff_u:staff_r:staff_ssh_agent_t:s0-s0:c0.c1023 tclass=process permissive=1 
----
Comment 6 Milos Malik 2019-06-12 11:39:59 UTC 
The same scenario in enforcing mode for user_u user:
----
type=PROCTITLE msg=audit(06/12/2019 07:38:07.171:458) : proctitle=/usr/bin/ssh-agent 
type=SYSCALL msg=audit(06/12/2019 07:38:07.171:458) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x5584537ad240 a1=0x5584537ad7f0 a2=0x5584537ad420 a3=0x5584537a3010 items=0 ppid=8030 pid=8034 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=11 comm=ssh-agent exe=/usr/bin/ssh-agent subj=user_u:user_r:user_ssh_agent_t:s0 key=(null) 
type=AVC msg=audit(06/12/2019 07:38:07.171:458) : avc:  denied  { write } for  pid=8034 comm=ssh-agent path=pipe:[46804] dev="pipefs" ino=46804 scontext=user_u:user_r:user_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fifo_file permissive=0 
type=AVC msg=audit(06/12/2019 07:38:07.171:458) : avc:  denied  { write } for  pid=8034 comm=ssh-agent path=pipe:[46803] dev="pipefs" ino=46803 scontext=user_u:user_r:user_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fifo_file permissive=0 
type=AVC msg=audit(06/12/2019 07:38:07.171:458) : avc:  denied  { read } for  pid=8034 comm=ssh-agent path=pipe:[46802] dev="pipefs" ino=46802 scontext=user_u:user_r:user_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fifo_file permissive=0 
----
type=PROCTITLE msg=audit(06/12/2019 07:38:07.577:469) : proctitle=ssh-agent -a /run/user/1001/ssh-agent.2SCK3Z 
type=SYSCALL msg=audit(06/12/2019 07:38:07.577:469) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7ffc7d2c9e20 a2=0x6e a3=0xc0e14d27 items=0 ppid=8049 pid=8051 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=11 comm=ssh-agent exe=/usr/bin/ssh-agent subj=user_u:user_r:user_ssh_agent_t:s0 key=(null) 
type=AVC msg=audit(06/12/2019 07:38:07.577:469) : avc:  denied  { write } for  pid=8051 comm=ssh-agent name=/ dev="tmpfs" ino=47032 scontext=user_u:user_r:user_ssh_agent_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 
----
Comment 7 Milos Malik 2019-06-12 11:42:47 UTC 
The same scenario in permissive mode for user_u user:
----
type=PROCTITLE msg=audit(06/12/2019 07:40:24.336:483) : proctitle=/usr/bin/ssh-agent 
type=SYSCALL msg=audit(06/12/2019 07:40:24.336:483) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x56422a355240 a1=0x56422a3557f0 a2=0x56422a355420 a3=0x56422a34b010 items=0 ppid=8099 pid=8103 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=13 comm=ssh-agent exe=/usr/bin/ssh-agent subj=user_u:user_r:user_ssh_agent_t:s0 key=(null) 
type=AVC msg=audit(06/12/2019 07:40:24.336:483) : avc:  denied  { write } for  pid=8103 comm=ssh-agent path=pipe:[48197] dev="pipefs" ino=48197 scontext=user_u:user_r:user_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fifo_file permissive=1 
type=AVC msg=audit(06/12/2019 07:40:24.336:483) : avc:  denied  { read } for  pid=8103 comm=ssh-agent path=pipe:[48196] dev="pipefs" ino=48196 scontext=user_u:user_r:user_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fifo_file permissive=1 
----
type=PROCTITLE msg=audit(06/12/2019 07:40:24.341:484) : proctitle=/usr/bin/ssh-agent 
type=SYSCALL msg=audit(06/12/2019 07:40:24.341:484) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x1 a1=0x7fff4c3a40b0 a2=0x7fff4c3a40b0 a3=0x0 items=0 ppid=8099 pid=8103 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=13 comm=ssh-agent exe=/usr/bin/ssh-agent subj=user_u:user_r:user_ssh_agent_t:s0 key=(null) 
type=AVC msg=audit(06/12/2019 07:40:24.341:484) : avc:  denied  { getattr } for  pid=8103 comm=ssh-agent path=pipe:[48197] dev="pipefs" ino=48197 scontext=user_u:user_r:user_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fifo_file permissive=1 
----
type=PROCTITLE msg=audit(06/12/2019 07:40:24.688:494) : proctitle=/bin/bash -c exec cockpit-bridge 
type=SYSCALL msg=audit(06/12/2019 07:40:24.688:494) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x0 a1=TCGETS a2=0x7fffc35bde80 a3=0x0 items=0 ppid=8099 pid=8118 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=13 comm=bash exe=/usr/bin/bash subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(06/12/2019 07:40:24.688:494) : avc:  denied  { ioctl } for  pid=8118 comm=bash path=socket:[48146] dev="sockfs" ino=48146 ioctlcmd=TCGETS scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1 
----
type=PROCTITLE msg=audit(06/12/2019 07:40:24.689:495) : proctitle=/bin/bash -c exec cockpit-bridge 
type=SYSCALL msg=audit(06/12/2019 07:40:24.689:495) : arch=x86_64 syscall=getpeername success=yes exit=0 a0=0x0 a1=0x7fffc35be070 a2=0x7fffc35be06c a3=0x8 items=0 ppid=8099 pid=8118 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=13 comm=bash exe=/usr/bin/bash subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(06/12/2019 07:40:24.689:495) : avc:  denied  { getattr } for  pid=8118 comm=bash scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1 
----
type=PROCTITLE msg=audit(06/12/2019 07:40:29.676:497) : proctitle=/usr/bin/pkexec --disable-internal-agent cockpit-bridge --privileged 
type=SYSCALL msg=audit(06/12/2019 07:40:29.676:497) : arch=x86_64 syscall=stat success=yes exit=0 a0=0x7f2e0d042ae2 a1=0x7ffc5c3d47b0 a2=0x7ffc5c3d47b0 a3=0x55e679bb0010 items=0 ppid=8118 pid=8170 auid=user-user uid=user-user gid=user-user euid=root suid=root fsuid=root egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=13 comm=pkexec exe=/usr/bin/pkexec subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(06/12/2019 07:40:29.676:497) : avc:  denied  { dac_read_search } for  pid=8170 comm=pkexec capability=dac_read_search  scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(06/12/2019 07:40:29.949:499) : proctitle=/usr/bin/sudo -A cockpit-bridge --privileged 
type=SYSCALL msg=audit(06/12/2019 07:40:29.949:499) : arch=x86_64 syscall=prlimit64 success=yes exit=0 a0=0x0 a1=0x6 a2=0x7fff0a8535a0 a3=0x0 items=0 ppid=8118 pid=8186 auid=user-user uid=user-user gid=user-user euid=root suid=root fsuid=root egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=13 comm=sudo exe=/usr/bin/sudo subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(06/12/2019 07:40:29.949:499) : avc:  denied  { sys_resource } for  pid=8186 comm=sudo capability=sys_resource  scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=capability permissive=1 
----
type=PROCTITLE msg=audit(06/12/2019 07:40:29.959:500) : proctitle=/usr/bin/sudo -A cockpit-bridge --privileged 
type=SYSCALL msg=audit(06/12/2019 07:40:29.959:500) : arch=x86_64 syscall=openat success=yes exit=8 a0=0xffffff9c a1=0x5557bc2fccb0 a2=O_RDWR|O_CREAT a3=0x180 items=0 ppid=8118 pid=8186 auid=user-user uid=user-user gid=user-user euid=root suid=root fsuid=root egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=13 comm=sudo exe=/usr/bin/sudo subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(06/12/2019 07:40:29.959:500) : avc:  denied  { read write open } for  pid=8186 comm=sudo path=/run/sudo/ts/user-user dev="tmpfs" ino=49753 scontext=user_u:user_r:user_t:s0 tcontext=user_u:object_r:pam_var_run_t:s0 tclass=file permissive=1 
type=AVC msg=audit(06/12/2019 07:40:29.959:500) : avc:  denied  { create } for  pid=8186 comm=sudo name=user-user scontext=user_u:user_r:user_t:s0 tcontext=user_u:object_r:pam_var_run_t:s0 tclass=file permissive=1 
type=AVC msg=audit(06/12/2019 07:40:29.959:500) : avc:  denied  { add_name } for  pid=8186 comm=sudo name=user-user scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=dir permissive=1 
type=AVC msg=audit(06/12/2019 07:40:29.959:500) : avc:  denied  { write } for  pid=8186 comm=sudo name=ts dev="tmpfs" ino=18389 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:pam_var_run_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(06/12/2019 07:40:29.959:501) : proctitle=/usr/bin/sudo -A cockpit-bridge --privileged 
type=SYSCALL msg=audit(06/12/2019 07:40:29.959:501) : arch=x86_64 syscall=fcntl success=yes exit=0 a0=0x8 a1=F_SETLKW a2=0x7fff0a8530b0 a3=0x8 items=0 ppid=8118 pid=8186 auid=user-user uid=user-user gid=user-user euid=root suid=root fsuid=root egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=13 comm=sudo exe=/usr/bin/sudo subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(06/12/2019 07:40:29.959:501) : avc:  denied  { lock } for  pid=8186 comm=sudo path=/run/sudo/ts/user-user dev="tmpfs" ino=49753 scontext=user_u:user_r:user_t:s0 tcontext=user_u:object_r:pam_var_run_t:s0 tclass=file permissive=1 
----
type=USER_AVC msg=audit(06/12/2019 07:40:31.174:503) : pid=652 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=com.redhat.SubscriptionManager.EntitlementStatus member=check_status dest=com.redhat.SubscriptionManager spid=8118 tpid=8181 scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tclass=dbus permissive=1  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(06/12/2019 07:40:31.444:504) : pid=652 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.202 spid=8181 tpid=8118 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=user_u:user_r:user_t:s0 tclass=dbus permissive=1  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(06/12/2019 07:40:36.719:510) : pid=652 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=com.redhat.tuned.control member=is_running dest=com.redhat.tuned spid=8118 tpid=718 scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:tuned_t:s0 tclass=dbus permissive=1  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(06/12/2019 07:40:36.852:511) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=unset uid=root gid=user-user path=/usr/lib/systemd/system/timedatex.service cmdline="cockpit-bridge" scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service permissive=1  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=PROCTITLE msg=audit(06/12/2019 07:40:44.990:512) : proctitle=/bin/bash -c exec cockpit-bridge 
type=SYSCALL msg=audit(06/12/2019 07:40:44.990:512) : arch=x86_64 syscall=shutdown success=yes exit=0 a0=0x3 a1=0x1 a2=0x558111d1e010 a3=0x0 items=0 ppid=8099 pid=8118 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=13 comm=cockpit-bridge exe=/usr/bin/cockpit-bridge subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(06/12/2019 07:40:44.990:512) : avc:  denied  { shutdown } for  pid=8118 comm=cockpit-bridge scontext=user_u:user_r:user_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1 
----
type=PROCTITLE msg=audit(06/12/2019 07:40:45.009:514) : proctitle=/usr/libexec/cockpit-session localhost 
type=SYSCALL msg=audit(06/12/2019 07:40:45.009:514) : arch=x86_64 syscall=kill success=yes exit=0 a0=0x1fa8 a1=SIGTERM a2=0x0 a3=0x7f38d89c0020 items=0 ppid=8095 pid=8099 auid=user-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=13 comm=cockpit-session exe=/usr/libexec/cockpit-session subj=system_u:system_r:cockpit_session_t:s0 key=(null) 
type=AVC msg=audit(06/12/2019 07:40:45.009:514) : avc:  denied  { signal } for  pid=8099 comm=cockpit-session scontext=system_u:system_r:cockpit_session_t:s0 tcontext=user_u:user_r:user_ssh_agent_t:s0 tclass=process permissive=1 
----
Comment 8 Milos Malik 2019-06-12 11:50:33 UTC 
The same scenario in enforcing mode for sysadm_u user:
----
type=PROCTITLE msg=audit(06/12/2019 07:48:33.190:539) : proctitle=/usr/bin/ssh-agent 
type=SYSCALL msg=audit(06/12/2019 07:48:33.190:539) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55b7c8ffc240 a1=0x55b7c8ffc7f0 a2=0x55b7c8ffc420 a3=0x55b7c8ff2010 items=0 ppid=9655 pid=9659 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=(none) ses=15 comm=ssh-agent exe=/usr/bin/ssh-agent subj=sysadm_u:sysadm_r:sysadm_ssh_agent_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/12/2019 07:48:33.190:539) : avc:  denied  { write } for  pid=9659 comm=ssh-agent path=pipe:[54544] dev="pipefs" ino=54544 scontext=sysadm_u:sysadm_r:sysadm_ssh_agent_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fifo_file permissive=0 
type=AVC msg=audit(06/12/2019 07:48:33.190:539) : avc:  denied  { write } for  pid=9659 comm=ssh-agent path=pipe:[54543] dev="pipefs" ino=54543 scontext=sysadm_u:sysadm_r:sysadm_ssh_agent_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fifo_file permissive=0 
type=AVC msg=audit(06/12/2019 07:48:33.190:539) : avc:  denied  { read } for  pid=9659 comm=ssh-agent path=pipe:[54542] dev="pipefs" ino=54542 scontext=sysadm_u:sysadm_r:sysadm_ssh_agent_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fifo_file permissive=0 
----
type=PROCTITLE msg=audit(06/12/2019 07:48:33.702:550) : proctitle=ssh-agent -a /run/user/1002/ssh-agent.7FEN3Z 
type=SYSCALL msg=audit(06/12/2019 07:48:33.702:550) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7ffd1ea0e3e0 a2=0x6e a3=0x891c8421 items=0 ppid=9673 pid=9675 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=(none) ses=15 comm=ssh-agent exe=/usr/bin/ssh-agent subj=sysadm_u:sysadm_r:sysadm_ssh_agent_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/12/2019 07:48:33.702:550) : avc:  denied  { write } for  pid=9675 comm=ssh-agent name=/ dev="tmpfs" ino=54751 scontext=sysadm_u:sysadm_r:sysadm_ssh_agent_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_tmp_t:s0 tclass=dir permissive=0 
----
Comment 9 Milos Malik 2019-06-12 11:54:23 UTC 
The same scenario in permissive mode for sysadm_u user:
----
type=PROCTITLE msg=audit(06/12/2019 07:52:14.928:564) : proctitle=/usr/bin/ssh-agent 
type=SYSCALL msg=audit(06/12/2019 07:52:14.928:564) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x556bd42e2240 a1=0x556bd42e27f0 a2=0x556bd42e2420 a3=0x556bd42d8010 items=0 ppid=9721 pid=9725 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=(none) ses=17 comm=ssh-agent exe=/usr/bin/ssh-agent subj=sysadm_u:sysadm_r:sysadm_ssh_agent_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/12/2019 07:52:14.928:564) : avc:  denied  { write } for  pid=9725 comm=ssh-agent path=pipe:[55954] dev="pipefs" ino=55954 scontext=sysadm_u:sysadm_r:sysadm_ssh_agent_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fifo_file permissive=1 
type=AVC msg=audit(06/12/2019 07:52:14.928:564) : avc:  denied  { read } for  pid=9725 comm=ssh-agent path=pipe:[55953] dev="pipefs" ino=55953 scontext=sysadm_u:sysadm_r:sysadm_ssh_agent_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fifo_file permissive=1 
----
type=PROCTITLE msg=audit(06/12/2019 07:52:14.946:565) : proctitle=/usr/bin/ssh-agent 
type=SYSCALL msg=audit(06/12/2019 07:52:14.946:565) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x1 a1=0x7ffefe25e980 a2=0x7ffefe25e980 a3=0x0 items=0 ppid=9721 pid=9725 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=(none) ses=17 comm=ssh-agent exe=/usr/bin/ssh-agent subj=sysadm_u:sysadm_r:sysadm_ssh_agent_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/12/2019 07:52:14.946:565) : avc:  denied  { getattr } for  pid=9725 comm=ssh-agent path=pipe:[55954] dev="pipefs" ino=55954 scontext=sysadm_u:sysadm_r:sysadm_ssh_agent_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fifo_file permissive=1 
----
type=PROCTITLE msg=audit(06/12/2019 07:52:15.635:575) : proctitle=/bin/bash -c exec cockpit-bridge 
type=SYSCALL msg=audit(06/12/2019 07:52:15.635:575) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x0 a1=TCGETS a2=0x7ffc58c05e20 a3=0x0 items=0 ppid=9721 pid=9740 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=(none) ses=17 comm=bash exe=/usr/bin/bash subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/12/2019 07:52:15.635:575) : avc:  denied  { ioctl } for  pid=9740 comm=bash path=socket:[55903] dev="sockfs" ino=55903 ioctlcmd=TCGETS scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1 
----
type=PROCTITLE msg=audit(06/12/2019 07:52:21.608:577) : proctitle=/usr/bin/sudo -A cockpit-bridge --privileged 
type=SYSCALL msg=audit(06/12/2019 07:52:21.608:577) : arch=x86_64 syscall=ioctl success=no exit=ENOTTY(Inappropriate ioctl for device) a0=0x2 a1=TIOCGWINSZ a2=0x7ffd9bc967f0 a3=0x5579505a5010 items=0 ppid=9740 pid=9799 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=root suid=root fsuid=root egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=(none) ses=17 comm=sudo exe=/usr/bin/sudo subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/12/2019 07:52:21.608:577) : avc:  denied  { ioctl } for  pid=9799 comm=sudo path=socket:[56356] dev="sockfs" ino=56356 ioctlcmd=TIOCGWINSZ scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 
----
type=USER_AVC msg=audit(06/12/2019 07:52:23.542:580) : pid=652 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=com.redhat.SubscriptionManager.EntitlementStatus member=check_status dest=com.redhat.SubscriptionManager spid=9740 tpid=9815 scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tclass=dbus permissive=1  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(06/12/2019 07:52:23.728:582) : pid=652 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.317 spid=9815 tpid=9740 scontext=system_u:system_r:rhsmcertd_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=dbus permissive=1  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(06/12/2019 07:52:28.210:587) : pid=652 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=com.redhat.tuned.control member=is_running dest=com.redhat.tuned spid=9740 tpid=718 scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:tuned_t:s0 tclass=dbus permissive=1  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=PROCTITLE msg=audit(06/12/2019 07:52:48.133:588) : proctitle=/bin/bash -c exec cockpit-bridge 
type=SYSCALL msg=audit(06/12/2019 07:52:48.133:588) : arch=x86_64 syscall=shutdown success=yes exit=0 a0=0x3 a1=0x1 a2=0x556a7e64a010 a3=0x0 items=0 ppid=9721 pid=9740 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=(none) ses=17 comm=cockpit-bridge exe=/usr/bin/cockpit-bridge subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/12/2019 07:52:48.133:588) : avc:  denied  { shutdown } for  pid=9740 comm=cockpit-bridge scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1 
----
type=PROCTITLE msg=audit(06/12/2019 07:52:48.149:590) : proctitle=/usr/libexec/cockpit-session localhost 
type=SYSCALL msg=audit(06/12/2019 07:52:48.149:590) : arch=x86_64 syscall=kill success=yes exit=0 a0=0x25fe a1=SIGTERM a2=0x0 a3=0x7fd4008e6020 items=0 ppid=9717 pid=9721 auid=sysadm-user uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=17 comm=cockpit-session exe=/usr/libexec/cockpit-session subj=system_u:system_r:cockpit_session_t:s0 key=(null) 
type=AVC msg=audit(06/12/2019 07:52:48.149:590) : avc:  denied  { signal } for  pid=9721 comm=cockpit-session scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_ssh_agent_t:s0-s0:c0.c1023 tclass=process permissive=1 
----
Comment 11 Lukas Vrabec 2019-07-08 13:45:32 UTC 
*** Bug 1727902 has been marked as a duplicate of this bug. ***
Comment 18 Martin Pitt 2019-11-04 08:06:56 UTC 
Similarly to bug 1727887, this now works as "user_u", but not as "guest_u":

systemd[3133]: pam_unix(systemd-user:session): session opened for user unpriv by (uid=0)
kernel: audit: type=1400 audit(1572854232.617:12): avc:  denied  { signal } for  pid=3133 comm="systemd" scontext=guest_u:guest_r:guest_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=process permissive=0
systemd[1]: user: Failed with result 'protocol'.
systemd[1]: Failed to start User Manager for UID 1002.

cockpit-bridge[3140]: dbus-daemon didn't send us a dbus address; not installed?
kernel: audit: type=1400 audit(1572854232.689:13): avc:  denied  { listen } for  pid=3140 comm="cockpit-bridge" laddr=127.0.0.1 lport=37385 scontext=guest_u:guest_r:guest_t:s0 tcontext=guest_u:guest_r:guest_t:s0 tclass=tcp_socket permissive=0
cockpit-bridge[3140]: couldn't get polkit authority: Error initializing authority: Could not connect: Permission denied
cockpit-bridge[3140]: couldn't bind and listen to local ipv4 socket: could not listen: Permission denied

The first block is bug 1727887, the second this one.
Comment 26 errata-xmlrpc 2019-11-05 22:11:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3547