1727902 – SELinux restricted accounts cannot access polkit

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1727902 - SELinux restricted accounts cannot access polkit

Summary: SELinux restricted accounts cannot access polkit

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.2
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1727382 1778780
TreeView+	depends on / blocked

Reported:	2019-07-08 13:19 UTC by Martin Pitt
Modified:	2020-04-28 16:41 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.14.3-22.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-04-28 16:40:41 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:1773	0	None	None	None	2020-04-28 16:41:12 UTC

Description Martin Pitt 2019-07-08 13:19:28 UTC

Description of problem: Logging into Cockpit as a restricted SELinux user (i. e. not unconfined_u) currently does not work (bug 1727382). A part of that is that such users cannot talk to polkit, which makes it impossible to talk to a lot of system services such as udisks, systemd, timedated, NetworkManager, realmd, etc.


Version-Release number of selected component (if applicable):

systemd-239-15.el8.x86_64
selinux-policy-3.14.3-8.el8.noarch


How reproducible: Always


Steps to Reproduce:
1. Create a new user: useradd unpriv; echo 'unpriv:foobar' | chpasswd
2. Change it away from unconfined_u: semanage login -a -s guest_u unpriv
3. log in as that user with ssh: ssh unpriv@localhost
4. Try to access polkit: pkaction"
   (this just lists available action IDs, it does not really "do" anything)

Actual results:

Error getting authority: Error initializing authority: Could not connect: Permission denied

There are no SELinux nor any other messages in journalctl during this, so this got explicitly quiesced apparently?


Expected results: This is where I get a bit fuzzy - are users other than unconfined_u *expected* to only have a minimal bare-bones session? I. e. you would never have these use a desktop or Cockpit session, polkit, etc? I. e. is this by design or a bug?

Comment 2 Milos Malik 2019-07-09 06:26:46 UTC

Following SELinux denial appears in enforcing mode after removing the dontaudit rules:
----
type=PROCTITLE msg=audit(07/09/2019 02:25:56.197:345) : proctitle=pkaction 
type=SYSCALL msg=audit(07/09/2019 02:25:56.197:345) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x5 a1=0x7ffecd4b1ff0 a2=0x6e a3=0x0 items=0 ppid=4801 pid=4845 auid=unpriv uid=unpriv gid=unpriv euid=unpriv suid=unpriv fsuid=unpriv egid=unpriv sgid=unpriv fsgid=unpriv tty=pts1 ses=7 comm=pkaction exe=/usr/bin/pkaction subj=guest_u:guest_r:guest_t:s0 key=(null) 
type=AVC msg=audit(07/09/2019 02:25:56.197:345) : avc:  denied  { search } for  pid=4845 comm=pkaction name=dbus dev="tmpfs" ino=19407 scontext=guest_u:guest_r:guest_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=0 
----

# rpm -qa selinux\* polkit\* | sort
polkit-0.115-6.el8.x86_64
polkit-libs-0.115-6.el8.x86_64
polkit-pkla-compat-0.1-12.el8.x86_64
selinux-policy-3.14.3-9.el8.noarch
selinux-policy-targeted-3.14.3-9.el8.noarch
#

Comment 3 Milos Malik 2019-07-09 06:29:10 UTC

Following SELinux denials appear in permissive mode:
----
type=PROCTITLE msg=audit(07/09/2019 02:27:26.683:348) : proctitle=pkaction 
type=SYSCALL msg=audit(07/09/2019 02:27:26.683:348) : arch=x86_64 syscall=connect success=yes exit=0 a0=0x5 a1=0x7ffc73567e90 a2=0x6e a3=0x0 items=0 ppid=4801 pid=4851 auid=unpriv uid=unpriv gid=unpriv euid=unpriv suid=unpriv fsuid=unpriv egid=unpriv sgid=unpriv fsgid=unpriv tty=pts1 ses=7 comm=pkaction exe=/usr/bin/pkaction subj=guest_u:guest_r:guest_t:s0 key=(null) 
type=AVC msg=audit(07/09/2019 02:27:26.683:348) : avc:  denied  { connectto } for  pid=4851 comm=pkaction path=/run/dbus/system_bus_socket scontext=guest_u:guest_r:guest_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 
type=AVC msg=audit(07/09/2019 02:27:26.683:348) : avc:  denied  { write } for  pid=4851 comm=pkaction name=system_bus_socket dev="tmpfs" ino=19408 scontext=guest_u:guest_r:guest_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file permissive=1 
type=AVC msg=audit(07/09/2019 02:27:26.683:348) : avc:  denied  { search } for  pid=4851 comm=pkaction name=dbus dev="tmpfs" ino=19407 scontext=guest_u:guest_r:guest_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir permissive=1 
----
type=USER_AVC msg=audit(07/09/2019 02:27:26.684:349) : pid=604 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=4851 scontext=guest_u:guest_r:guest_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus permissive=1  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(07/09/2019 02:27:26.686:350) : pid=604 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.3 spid=4851 tpid=622 scontext=guest_u:guest_r:guest_t:s0 tcontext=system_u:system_r:policykit_t:s0 tclass=dbus permissive=1  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(07/09/2019 02:27:26.686:351) : pid=604 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.43 spid=622 tpid=4851 scontext=system_u:system_r:policykit_t:s0 tcontext=guest_u:guest_r:guest_t:s0 tclass=dbus permissive=1  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 
----

Comment 4 Milos Malik 2019-07-09 06:31:58 UTC

This bug is not a duplicate of BZ#1718814, because the SELinux denials are completely different.

Comment 13 Martin Pitt 2019-11-04 07:46:08 UTC

I tested this on Fedora 31 and RHEL 8.2 nightly, and confirm that this works now. Thank you!

Comment 15 errata-xmlrpc 2020-04-28 16:40:41 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1773

Note You need to log in before you can comment on or make changes to this bug.