RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2030156 - SELinux denials { setgid } are triggered by sss_cache
Summary: SELinux denials { setgid } are triggered by sss_cache
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.6
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.6
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
: 2040256 2045905 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-12-08 06:10 UTC by Frank Liang
Modified: 2022-05-10 16:24 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.14.3-90.el8
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-10 15:15:45 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 2022690 1 medium CLOSED avc: denied { setgid } for pid=3823 comm="sss_cache" capability=6 scontext=system_u:system_r:groupadd_t:s0 tcontext=syst... 2022-02-11 11:30:51 UTC
Red Hat Bugzilla 2039757 1 medium CLOSED denied setgid for sss_cache 2023-05-30 07:33:04 UTC
Red Hat Issue Tracker RHELPLAN-105096 0 None None None 2021-12-08 06:14:34 UTC
Red Hat Product Errata RHBA-2022:1995 0 None None None 2022-05-10 15:16:08 UTC

Description Frank Liang 2021-12-08 06:10:16 UTC 
Description of problem:
Found below denied error in RHEL-8.6.0-20211206.1 testing.

----
time->Sun Dec  5 06:45:40 2021
type=PROCTITLE msg=audit(1638686740.224:517): proctitle=7373735F6361636865002D5547
type=SYSCALL msg=audit(1638686740.224:517): arch=c000003e syscall=119 success=yes exit=0 a0=ffffffffffffffff a1=0 a2=ffffffffffffffff a3=0 items=0 ppid=40377 pid=40383 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="sss_cache" exe="/usr/sbin/sss_cache" subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1638686740.224:517): avc:  denied  { setgid } for  pid=40383 comm="sss_cache" capability=6  scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0

RHEL Version:
RHEL-8.6(4.18.0-353.el8.x86_64)

How reproducible:
100%

Steps to Reproduce:
1.  Found in our regular nightly compose testing.

Actual results:
Found such error some times

Expected results:
No such error

Additional info:
- there is a similar bz in fedora bz#2022690
Comment 1 Frank Liang 2021-12-08 06:20:04 UTC 
This denied log appeared in RHEL-8.6.0-20211204.3 firstly according to our test history.
Comment 2 Milos Malik 2021-12-08 08:27:11 UTC 
I saw this SELinux denial a few times. It used to appear when a package, that brings a new user or group, was being installed. Unfortunately, I'm not able to reproduce it now.
Comment 3 Zdenek Pytela 2021-12-08 10:50:04 UTC 
Frank,

Do you happen to know which test command triggers this denial? The command is sss_cache, executed by groupadd.
Comment 4 Frank Liang 2021-12-08 12:41:43 UTC 
(In reply to Zdenek Pytela from comment #3)
> Frank,
> 
> Do you happen to know which test command triggers this denial? The command
> is sss_cache, executed by groupadd.

I am still looking for which command trigger this denial. Just reserved a beaker system with RHEL-8.6.0-20211207.2 BaseOS aarch64 selected.
After installation done, there are such denials. So I guess it is not our test triggered.
Comment 5 Zdenek Pytela 2021-12-08 13:38:07 UTC 
(In reply to Frank Liang from comment #4)
> I am still looking for which command trigger this denial. Just reserved a
> beaker system with RHEL-8.6.0-20211207.2 BaseOS aarch64 selected.
> After installation done, there are such denials. So I guess it is not our
> test triggered.

Note it actually can be the installation itself (dnf -> groupadd -> sss_cache, see #c2), we just don't currently have a reliable reproducer.
Comment 7 Milos Malik 2021-12-08 15:42:37 UTC 
Please notice that the SELinux denial contains "success=yes" even though it was logged in enforcing mode.
Comment 10 Milos Malik 2021-12-08 16:06:32 UTC 
For example the installation of the cyrus-sasl package triggers both SELinux denials (useradd_t and groupadd_t) because the sss_cache can be executed by different programs.
Comment 12 Zdenek Pytela 2021-12-22 21:42:47 UTC 
I've submitted a Fedora draft PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/979

The purpose yet needs to be clarified.
Comment 16 Florence Blanc-Renaud 2022-01-13 11:40:31 UTC 
*** Bug 2040256 has been marked as a duplicate of this bug. ***
Comment 17 Zdenek Pytela 2022-01-26 08:07:42 UTC 
*** Bug 2045905 has been marked as a duplicate of this bug. ***
Comment 18 Zdenek Pytela 2022-01-26 18:31:14 UTC 
To backport:

commit d33ccb64dee2f105b69d6ff5dd0b9d448c5fdbe1 (HEAD -> rawhide, tag: v35.12, upstream/rawhide)
Author: Patrik Koncity <pkoncity>
Date:   Fri Jan 21 15:35:15 2022 +0100

    Fix badly indented used interfaces

    In policy is few badly indented used
    iterfaces in optional blocks. Correction
    of indentation of interface names.

commit bcc321f1719d252b205edf89f82f578c1c309eb0
Author: Patrik Koncity <pkoncity>
Date:   Fri Jan 21 15:27:04 2022 +0100

    Allow domain transition to sssd_t

    When installing some rpm packages, new users or
    groups are added to the system using
    the groupadd and useradd tools. Then the sss_cache
    file with the bin_t label is run and on this file
    groupadd and useradd want to setgid and this
    trigger SELinux denials. Label the sss_cache binary
    as sssd_exec_t and enabling the transition from
    groupadd_t and useradd_t to sssd_t. Sssd policy
    allowed setgid on this binary.

    Bugzilla:https://bugzilla.redhat.com/show_bug.cgi?id=2022690
Comment 19 Zdenek Pytela 2022-02-02 16:58:46 UTC 
2 more commits to backport:
25bdcfdf5 Allow domtrans to sssd_t and role access to sssd
d7ef9cf83 Creating interface sssd_run_sssd()
Comment 28 errata-xmlrpc 2022-05-10 15:15:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1995
Note You need to log in before you can comment on or make changes to this bug.