1767721 – Confined users cannot query systemd journal when logged on console

Bug 1767721 - Confined users cannot query systemd journal when logged on console

Summary: Confined users cannot query systemd journal when logged on console

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	32
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Patrik Koncity
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1767779
TreeView+	depends on / blocked

Reported:	2019-11-01 08:16 UTC by Zdenek Pytela
Modified:	2020-10-05 17:32 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.14.5-44.fc32
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-10-05 17:32:33 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Zdenek Pytela 2019-11-01 08:16:23 UTC

Description of problem:
Confined users cannot query systemd journal when logged on console

Version-Release number of selected component (if applicable):
selinux-policy-3.14.5-11.fc32.noarch

How reproducible:
always

Steps to Reproduce:
1. A confined user user_u, staff_u, or sysadm_t logs in on a console
2. run journalctl

Actual results:
$ journalctl -l --user
<no output in enforcing mode>
AVC's audited in permissive:
----
type=PROCTITLE msg=audit(11/01/19 09:11:06.778:2636) : proctitle=journalctl -l --user 
type=PATH msg=audit(11/01/19 09:11:06.778:2636) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=273424 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(11/01/19 09:11:06.778:2636) : item=0 name=/usr/bin/journalctl inode=275732 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:journalctl_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/01/19 09:11:06.778:2636) : cwd=/home/sysadm 
type=EXECVE msg=audit(11/01/19 09:11:06.778:2636) : argc=3 a0=journalctl a1=-l a2=--user 
type=SYSCALL msg=audit(11/01/19 09:11:06.778:2636) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x55e0e5d55070 a1=0x55e0e5d515f0 a2=0x55e0e5d59850 a3=0x8 items=2 ppid=35872 pid=35913 auid=sysadm uid=sysadm gid=sysadm euid=sysadm suid=sysadm fsuid=sysadm egid=sysadm sgid=sysadm fsgid=sysadm tty=tty5 ses=210 comm=journalctl exe=/usr/bin/journalctl subj=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/01/19 09:11:06.778:2636) : avc:  denied  { read write } for  pid=35913 comm=journalctl path=/dev/tty5 dev="devtmpfs" ino=1047 scontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:user_tty_device_t:s0 tclass=chr_file permissive=1 
----
type=PROCTITLE msg=audit(11/01/19 09:11:06.812:2637) : proctitle=journalctl -l --user 
type=SYSCALL msg=audit(11/01/19 09:11:06.812:2637) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x1 a1=TCGETS a2=0x7fffe232dc30 a3=0x0 items=0 ppid=35872 pid=35913 auid=sysadm uid=sysadm gid=sysadm euid=sysadm suid=sysadm fsuid=sysadm egid=sysadm sgid=sysadm fsgid=sysadm tty=tty5 ses=210 comm=journalctl exe=/usr/bin/journalctl subj=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/01/19 09:11:06.812:2637) : avc:  denied  { ioctl } for  pid=35913 comm=journalctl path=/dev/tty5 dev="devtmpfs" ino=1047 ioctlcmd=TCGETS scontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:user_tty_device_t:s0 tclass=chr_file permissive=1 
Fri Nov  1 09:11:16 CET 2019

Expected results:
list of journal entries

Additional info:
These permissions are allowed:
allow journalctl_t user_devpts_t:chr_file { append getattr ioctl lock read write };

Comment 1 Ben Cotton 2020-02-11 17:49:43 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle.
Changing version to 32.

Comment 2 Patrik Koncity 2020-09-02 11:49:14 UTC

PR: https://github.com/fedora-selinux/selinux-policy-contrib/pull/330

Comment 3 Lukas Vrabec 2020-09-02 12:53:43 UTC

commit 16a9b53217387a5efc16b45cb25a610f4f72d957 (HEAD -> f32, origin/f32)
Author: Patrik Koncity <pkoncity>
Date:   Wed Sep 2 13:33:45 2020 +0200

    Allow journalctl to read and write to inherited user domain tty
    
    Add macro userdom_use_inherited_user_tty() to journalctl policy, which
    allow to read and write to inherited user domain tty.
    
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1767721

Comment 4 Fedora Update System 2020-10-02 07:03:41 UTC

FEDORA-2020-9896f80cf0 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-9896f80cf0

Comment 5 Fedora Update System 2020-10-03 02:09:01 UTC

FEDORA-2020-9896f80cf0 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-9896f80cf0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-9896f80cf0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2020-10-05 17:32:33 UTC

FEDORA-2020-9896f80cf0 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.