Hide Forgot
Description of problem: Users with user context sysadm_u cannot log into graphical sessions, not can they evidently log in via ssh. Version-Release number of selected component (if applicable): Observed with RHEL 7.6. Untested on RHEL 8 as yet. How reproducible: useradd testuser semanage login -a -s sysadm_u testuser # try to log in via gdm or sshd Additional info: Customer is using DISA STIG, and cannot have unconfined users. Between this and other bugs that will be opened presently they cannot function.
Additional notes: The xdm_exec_bootloader boolean seems to impact the misbehaviour cosmetically.
Here is the output from "ausearch -m avc -m user_avc -i -ts today | audit2allow" gathered on my VM: #============= NetworkManager_t ============== allow NetworkManager_t systemd_resolved_t:dbus send_msg; #============= accountsd_t ============== allow accountsd_t sysadm_t:dbus send_msg; #============= boltd_t ============== allow boltd_t sysadm_t:dbus send_msg; #============= colord_t ============== allow colord_t sysadm_t:dbus send_msg; #============= rhsmcertd_t ============== allow rhsmcertd_t sysadm_t:dbus send_msg; #============= rtkit_daemon_t ============== allow rtkit_daemon_t sysadm_t:dbus send_msg; allow rtkit_daemon_t sysadm_t:process setsched; #============= sysadm_gkeyringd_t ============== allow sysadm_gkeyringd_t sysadm_t:unix_stream_socket connectto; allow sysadm_gkeyringd_t system_dbusd_t:dbus send_msg; allow sysadm_gkeyringd_t system_dbusd_t:unix_stream_socket connectto; allow sysadm_gkeyringd_t systemd_logind_t:dbus send_msg; #============= sysadm_t ============== allow sysadm_t accountsd_t:dbus send_msg; allow sysadm_t boltd_t:dbus send_msg; allow sysadm_t colord_t:dbus send_msg; allow sysadm_t rhsmcertd_t:dbus send_msg; allow sysadm_t rtkit_daemon_t:dbus send_msg; allow sysadm_t self:netlink_selinux_socket { bind create }; allow sysadm_t system_dbusd_t:dbus acquire_svc; #============= systemd_logind_t ============== allow systemd_logind_t sysadm_gkeyringd_t:dbus send_msg; Based on the list of suggested rules, I believe that important ones contain system_dbusd_t type and netlink_selinux_socket class. The rest of rules depend on what packages/services are installed/enabled.
Here is the local policy module which the problem on my VM: # cat mypolicy.cil ( allow sysadm_t sysadm_t ( dbus ( acquire_svc ))) ( allow sysadm_t sysadm_t ( netlink_selinux_socket ( bind create ))) ( allow sysadm_t system_dbusd_t ( dbus ( acquire_svc ))) ( allow sysadm_gkeyringd_t sysadm_t ( unix_stream_socket ( connectto ))) ( allow sysadm_gkeyringd_t system_dbusd_t ( dbus ( send_msg ))) ( allow sysadm_gkeyringd_t system_dbusd_t ( unix_stream_socket ( connectto ))) ( allow sysadm_gkeyringd_t systemd_logind_t ( dbus ( send_msg ))) ( allow systemd_logind_t sysadm_gkeyringd_t ( dbus ( send_msg ))) ( allow sysadm_gkeyringd_t sysadm_t ( dbus ( acquire_svc ))) # semodule -i mypolicy.cil # Now, I can successfully log into X session as sysadm_u user in enforcing mode.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1007