Bug 2030156
| Summary: | SELinux denials { setgid } are triggered by sss_cache | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Frank Liang <xiliang> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.6 | CC: | leonfauster, linl, lvrabec, mmalik, myusuf, ssekidde, vkuznets, ymao |
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged |
| Target Release: | 8.6 | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.3-90.el8 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-10 15:15:45 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This denied log appeared in RHEL-8.6.0-20211204.3 firstly according to our test history. I saw this SELinux denial a few times. It used to appear when a package, that brings a new user or group, was being installed. Unfortunately, I'm not able to reproduce it now. Frank, Do you happen to know which test command triggers this denial? The command is sss_cache, executed by groupadd. (In reply to Zdenek Pytela from comment #3) > Frank, > > Do you happen to know which test command triggers this denial? The command > is sss_cache, executed by groupadd. I am still looking for which command trigger this denial. Just reserved a beaker system with RHEL-8.6.0-20211207.2 BaseOS aarch64 selected. After installation done, there are such denials. So I guess it is not our test triggered. (In reply to Frank Liang from comment #4) > I am still looking for which command trigger this denial. Just reserved a > beaker system with RHEL-8.6.0-20211207.2 BaseOS aarch64 selected. > After installation done, there are such denials. So I guess it is not our > test triggered. Note it actually can be the installation itself (dnf -> groupadd -> sss_cache, see #c2), we just don't currently have a reliable reproducer. Please notice that the SELinux denial contains "success=yes" even though it was logged in enforcing mode. For example the installation of the cyrus-sasl package triggers both SELinux denials (useradd_t and groupadd_t) because the sss_cache can be executed by different programs. I've submitted a Fedora draft PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/979 The purpose yet needs to be clarified. *** Bug 2040256 has been marked as a duplicate of this bug. *** *** Bug 2045905 has been marked as a duplicate of this bug. *** To backport:
commit d33ccb64dee2f105b69d6ff5dd0b9d448c5fdbe1 (HEAD -> rawhide, tag: v35.12, upstream/rawhide)
Author: Patrik Koncity <pkoncity>
Date: Fri Jan 21 15:35:15 2022 +0100
Fix badly indented used interfaces
In policy is few badly indented used
iterfaces in optional blocks. Correction
of indentation of interface names.
commit bcc321f1719d252b205edf89f82f578c1c309eb0
Author: Patrik Koncity <pkoncity>
Date: Fri Jan 21 15:27:04 2022 +0100
Allow domain transition to sssd_t
When installing some rpm packages, new users or
groups are added to the system using
the groupadd and useradd tools. Then the sss_cache
file with the bin_t label is run and on this file
groupadd and useradd want to setgid and this
trigger SELinux denials. Label the sss_cache binary
as sssd_exec_t and enabling the transition from
groupadd_t and useradd_t to sssd_t. Sssd policy
allowed setgid on this binary.
Bugzilla:https://bugzilla.redhat.com/show_bug.cgi?id=2022690
2 more commits to backport: 25bdcfdf5 Allow domtrans to sssd_t and role access to sssd d7ef9cf83 Creating interface sssd_run_sssd() Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:1995 |
Description of problem: Found below denied error in RHEL-8.6.0-20211206.1 testing. ---- time->Sun Dec 5 06:45:40 2021 type=PROCTITLE msg=audit(1638686740.224:517): proctitle=7373735F6361636865002D5547 type=SYSCALL msg=audit(1638686740.224:517): arch=c000003e syscall=119 success=yes exit=0 a0=ffffffffffffffff a1=0 a2=ffffffffffffffff a3=0 items=0 ppid=40377 pid=40383 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="sss_cache" exe="/usr/sbin/sss_cache" subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1638686740.224:517): avc: denied { setgid } for pid=40383 comm="sss_cache" capability=6 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tclass=capability permissive=0 RHEL Version: RHEL-8.6(4.18.0-353.el8.x86_64) How reproducible: 100% Steps to Reproduce: 1. Found in our regular nightly compose testing. Actual results: Found such error some times Expected results: No such error Additional info: - there is a similar bz in fedora bz#2022690