2031068 – Confined users mapped to "sysadm_u" or "staff_u" cannot manage PostgreSQL database

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2031068 - Confined users mapped to "sysadm_u" or "staff_u" cannot manage PostgreSQL database

Summary: Confined users mapped to "sysadm_u" or "staff_u" cannot manage PostgreSQL dat...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1778780
TreeView+	depends on / blocked

Reported:	2021-12-10 12:48 UTC by Renaud Métrich
Modified:	2022-11-07 16:27 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-11-07 16:26:46 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-105374	0	None	None	None	2021-12-10 12:52:42 UTC
Red Hat Knowledge Base (Solution)	6582811	0	None	None	None	2021-12-13 12:04:17 UTC

Description Renaud Métrich 2021-12-10 12:48:34 UTC

Description of problem:

Due to having /var/lib/pgsql be labeled with postgresql_db_t, confined users cannot sudo as "postgres" to manage the database:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
$ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023

$ sudo -u postgres -i
sudo: unable to change directory to /var/lib/pgsql: Permission denied
sudo: unable to execute /bin/bash: Permission denied

--> doesn't become "postgres"


$ sudo -i
(root)# su - postgres
su: warning: cannot change directory to /var/lib/pgsql: Permission denied

(postgres) $

--> does become "postgres" but cannot do anything


$ sudo su - postgres
su: warning: cannot change directory to /var/lib/pgsql: Permission denied
-bash: /var/lib/pgsql/.bash_profile: Permission denied

(postgres) $

--> does become "postgres" but cannot do anything
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Same for users mapped to "sysadm_u".

No AVC is printed because of the dontaudit rules:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
#============= staff_sudo_t ==============
allow staff_sudo_t postgresql_db_t:dir search;

#============= staff_t ==============
allow staff_t postgresql_db_t:dir { getattr search };

#============= sysadm_su_t ==============
allow sysadm_su_t postgresql_db_t:dir search;

#============= sysadm_sudo_t ==============
allow sysadm_sudo_t postgresql_db_t:dir search;
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-80.el8.noarch and RHEL7 policy


How reproducible:

Always

Comment 1 Zdenek Pytela 2022-06-06 11:12:13 UTC

This is how I understand the bz report: When a Linux user in the staff_r role becomes a Linux system administrator, but the role still is a role of a confined user and not a confined administrator, the user cannot access the postgres database home directory.

It does not seem to be a bug in selinux-policy. When the role changes to sysadm_r or dbadm_r on execution of the sudo command or when newrole with proper settings is used, the access is allowed. I can't see a reason for a confined user to access the db root or manage the database. All administration tasks should be done in any of SELinux administrator roles.

Closing this bz NOTABUG as a result.

Comment 2 Renaud Métrich 2022-06-06 15:02:34 UTC

Hi Zdenek,

Your assumption is incorrect, sorry the description was not clear enough apparently.
The issue happens with staff_u (which is somehow expected) but also sysadm_u, see below:

#============= sysadm_su_t ==============
allow sysadm_su_t postgresql_db_t:dir search;

#============= sysadm_sudo_t ==============
allow sysadm_sudo_t postgresql_db_t:dir search;


The attached KCS https://access.redhat.com/solutions/6582811 shows workarounds, all of them force becoming unconfined_u which is definitely not recommended.

Comment 4 Renaud Métrich 2022-06-09 09:32:50 UTC

I can confirm switching to dbadm_r role doesn't work on either RHEL7 or RHEL8, this creates AVCs:


1. Adding "dbadm_r" role to existing "sysadm_u" user:

  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  # semanage user -m -R "sysadm_r dbadm_r" sysadm_u
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

2. Login in as "sysadm_u" and trying to sudo:

  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  [sysadm@vm-postgresql7 ~]$ id -Z
  sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
  [sysadm@vm-postgresql7 ~]$ sudo -t dbadm_t -r dbadm_r -u postgres -i
  sudo: unable to execute /bin/bash: Permission denied
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

AVCs in Permissive:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
time->Thu Jun  9 11:31:42 2022
type=PROCTITLE msg=audit(1654767102.223:680): proctitle=7375646F002D7400646261646D5F74002D7200646261646D5F72002D7500706F737467726573002D69
type=SYSCALL msg=audit(1654767102.223:680): arch=c000003e syscall=59 success=no exit=-13 a0=7f23cd756765 a1=55806072c310 a2=558060740eb0 a3=633a30732d30733a items=0 ppid=10601 pid=10603 auid=1001 uid=26 gid=26 euid=26 suid=26 fsuid=26 egid=26 sgid=26 fsgid=26 tty=pts0 ses=15 comm="sudo" exe="/usr/bin/sudo" subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1654767102.223:680): avc:  denied  { transition } for  pid=10603 comm="sudo" path="/usr/libexec/sudo/sesh" dev="dm-0" ino=346445 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:dbadm_r:dbadm_t:s0-s0:c0.c1023 tclass=process permissive=0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Comment 5 Zdenek Pytela 2022-08-09 15:20:11 UTC

Renaud,

Please follow the Procedure in the product documentation to setup sudo:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/managing-confined-and-unconfined-
users_using-selinux#confining-an-administrator-using-sudo-and-the-sysadm_r-role_managing-confined-and-unconfined-users

just with sysadm substituted for dbadm. After the required semanage-user setting, e. g.

# semanage user -m -R "sysadm_r dbadm_r staff_r unconfined_r" staff_u

the user can get a shell or execute a command:
$ id
uid=1001(example) gid=1001(example) groups=1001(example),10(wheel) context=staff_u:staff_r:staff_t:s0-s0:c0.c1023
$ sudo /bin/id
uid=0(root) gid=0(root) groups=0(root) context=staff_u:dbadm_r:dbadm_t:s0-s0:c0.c1023
$ sudo -i
-bash: /root/.bash_profile: Permission denied
# id
uid=0(root) gid=0(root) groups=0(root) context=staff_u:dbadm_r:dbadm_t:s0-s0:c0.c1023

The sysadm role was designed to use only with administrative Linux account. It is also called confined administrator, while staff is a confined user.

Comment 6 Zdenek Pytela 2022-11-07 16:26:46 UTC

I've just verified the documented scenario works in both RHEL 8 and 9 and also for both dbadm_r and sysadm_r roles, so closing the bz, but feel free to reach out to our team again in case of an outstanding issue.

Note You need to log in before you can comment on or make changes to this bug.