1767745 – Confined users trigger AVC denial when screen accesses wtmp

Bug 1767745 - Confined users trigger AVC denial when screen accesses wtmp

Summary: Confined users trigger AVC denial when screen accesses wtmp

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	34
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Patrik Koncity
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1767779
TreeView+	depends on / blocked

Reported:	2019-11-01 10:10 UTC by Zdenek Pytela
Modified:	2021-05-04 01:00 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-34.4-1.fc34
Clone Of:
Environment:
Last Closed:	2021-05-04 01:00:44 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Zdenek Pytela 2019-11-01 10:10:11 UTC

Description of problem:
Confined users trigger AVC denial when screen is run and tries to access wtmp

Version-Release number of selected component (if applicable):
selinux-policy-3.14.5-11.fc32.noarch

How reproducible:
always

Steps to Reproduce:
1. log in as a confined user user_u, staff_u, sysadm_t
2. execute screen or tmux

Actual results:
Screen/tmux is working, but wtmp is not updated
AVC's are logged

Expected results:
wtmp updated, no AVC's.

Additional info:

Comment 1 Zdenek Pytela 2019-11-01 10:12:20 UTC

List of denials gathered in permissive mode:
----
type=PROCTITLE msg=audit(1.11.2019 11:08:23.636:248) : proctitle=/usr/libexec/utempter/utempter add :tty5:S.0 
type=PATH msg=audit(1.11.2019 11:08:23.636:248) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=273424 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(1.11.2019 11:08:23.636:248) : item=0 name=/usr/libexec/utempter/utempter inode=275058 dev=fd:00 mode=file,sgid,711 ouid=root ogid=utmp rdev=00:00 obj=system_u:object_r:utempter_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(1.11.2019 11:08:23.636:248) : cwd=/home/user 
type=EXECVE msg=audit(1.11.2019 11:08:23.636:248) : argc=3 a0=/usr/libexec/utempter/utempter a1=add a2=:tty5:S.0 
type=SYSCALL msg=audit(1.11.2019 11:08:23.636:248) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7fef73c6d000 a1=0x7ffe016d63f0 a2=0x7ffe016d7f38 a3=0x7fef739f4b80 items=2 ppid=1538 pid=1540 auid=user uid=user gid=user euid=user suid=user fsuid=user egid=utmp sgid=utmp fsgid=utmp tty=(none) ses=6 comm=utempter exe=/usr/libexec/utempter/utempter subj=user_u:user_r:user_screen_t:s0 key=(null) 
type=AVC msg=audit(1.11.2019 11:08:23.636:248) : avc:  denied  { map } for  pid=1540 comm=utempter path=/usr/libexec/utempter/utempter dev="dm-0" ino=275058 scontext=user_u:user_r:user_screen_t:s0 tcontext=system_u:object_r:utempter_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(1.11.2019 11:08:23.636:248) : avc:  denied  { read open } for  pid=1540 comm=screen path=/usr/libexec/utempter/utempter dev="dm-0" ino=275058 scontext=user_u:user_r:user_screen_t:s0 tcontext=system_u:object_r:utempter_exec_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(1.11.2019 11:08:23.647:249) : proctitle=/usr/libexec/utempter/utempter add :tty5:S.0 
type=PATH msg=audit(1.11.2019 11:08:23.647:249) : item=0 name=/var/log/wtmp inode=130135 dev=fd:00 mode=file,664 ouid=root ogid=utmp rdev=00:00 obj=system_u:object_r:wtmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(1.11.2019 11:08:23.647:249) : cwd=/home/user 
type=SYSCALL msg=audit(1.11.2019 11:08:23.647:249) : arch=x86_64 syscall=openat success=yes exit=7 a0=0xffffff9c a1=0x5615ecd42012 a2=O_WRONLY a3=0x0 items=1 ppid=1538 pid=1540 auid=user uid=user gid=user euid=user suid=user fsuid=user egid=utmp sgid=utmp fsgid=utmp tty=(none) ses=6 comm=utempter exe=/usr/libexec/utempter/utempter subj=user_u:user_r:user_screen_t:s0 key=(null) 
type=AVC msg=audit(1.11.2019 11:08:23.647:249) : avc:  denied  { open } for  pid=1540 comm=utempter path=/var/log/wtmp dev="dm-0" ino=130135 scontext=user_u:user_r:user_screen_t:s0 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1 
type=AVC msg=audit(1.11.2019 11:08:23.647:249) : avc:  denied  { write } for  pid=1540 comm=utempter name=wtmp dev="dm-0" ino=130135 scontext=user_u:user_r:user_screen_t:s0 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1 

Likewise for staff_u and sysadm_u.

Comment 2 Ben Cotton 2020-02-11 17:49:50 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle.
Changing version to 32.

Comment 3 Patrik Koncity 2020-11-05 10:36:57 UTC

https://github.com/fedora-selinux/selinux-policy-contrib/pull/359

Comment 4 Fedora Update System 2021-04-27 19:56:45 UTC

FEDORA-2021-8d26207af7 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-8d26207af7

Comment 5 Fedora Update System 2021-04-28 01:35:18 UTC

FEDORA-2021-8d26207af7 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-8d26207af7`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-8d26207af7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2021-05-04 01:00:44 UTC

FEDORA-2021-8d26207af7 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.