1767714 – SELinux denials when a confined user logs in

Bug 1767714 - SELinux denials when a confined user logs in

Summary: SELinux denials when a confined user logs in

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	32
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1767779
TreeView+	depends on / blocked

Reported:	2019-11-01 08:01 UTC by Zdenek Pytela
Modified:	2020-03-09 15:14 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-03-09 15:08:35 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Zdenek Pytela 2019-11-01 08:01:50 UTC

Description of problem:
SELinux denials when a confined user user_u or staff_u logs in

Version-Release number of selected component (if applicable):
selinux-policy-3.14.5-11.fc32.noarch

How reproducible:
always

Steps to Reproduce:
1. A confined user logs in

Actual results:
AVC's audited:
----
type=PROCTITLE msg=audit(11/01/19 08:56:29.489:2527) : proctitle=(systemd) 
type=SYSCALL msg=audit(11/01/19 08:56:29.489:2527) : arch=x86_64 syscall=bpf success=yes exit=8 a0=BPF_PROG_LOAD a1=0x7ffec917c120 a2=0x70 a3=0x55cb9d79df70 items=0 ppid=1 pid=35538 auid=user uid=user gid=user euid=user suid=user fsuid=user egid=user sgid=user fsgid=user tty=(none) ses=203 comm=systemd exe=/usr/lib/systemd/systemd subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(11/01/19 08:56:29.489:2527) : avc:  denied  { prog_run } for  pid=35538 comm=systemd scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=bpf permissive=1 
type=AVC msg=audit(11/01/19 08:56:29.489:2527) : avc:  denied  { prog_load } for  pid=35538 comm=systemd scontext=user_u:user_r:user_t:s0 tcontext=user_u:user_r:user_t:s0 tclass=bpf permissive=1 
Fri Nov  1 08:56:34 CET 2019

In enforcing mode, only prog_load appears.

Expected results:
No avc

Additional info:
These permissions are allowed:
# sesearch -A -c bpf -p prog_load|grep -w -e user_t -e staff_t -e sysadm_t -e root -e unconfined_t -e guest_u -e xguest_u
allow sysadm_t init_t:bpf { map_create map_read map_write prog_load prog_run };
allow sysadm_t sysadm_t:bpf { map_create map_read map_write prog_load prog_run };
allow unconfined_t init_t:bpf { map_create map_read map_write prog_load prog_run };
allow unconfined_t unconfined_t:bpf { map_create map_read map_write prog_load prog_run };

Comment 1 Ben Cotton 2020-02-11 17:49:41 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle.
Changing version to 32.

Comment 2 Zdenek Pytela 2020-03-09 15:14:45 UTC

Resolved with the following rawhide/base commit:

commit b1f64ef6da0d4cd5fa6f34358c945bf1e29c0780
Author: Lukas Vrabec <lvrabec>
Date:   Wed Nov 6 10:20:12 2019 +0100

    Allow users using template userdom_unpriv_user_template() to run bpf
    tool
    
    Resolves: rhbz#1769228

and is present in the policy since version 3.14.5-13.

Note You need to log in before you can comment on or make changes to this bug.