2039658 – Confined sysadm users cannot execute "service xxx status" command

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2039658 - Confined sysadm users cannot execute "service xxx status" command

Summary: Confined sysadm users cannot execute "service xxx status" command

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.9
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Zdenek Pytela
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-01-12 07:47 UTC by Renaud Métrich
Modified:	2022-07-08 15:54 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-07-08 15:54:37 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-107530	0	None	None	None	2022-01-12 07:55:01 UTC

Description Renaud Métrich 2022-01-12 07:47:10 UTC

Description of problem:

Confined users mapped to sysadm_u SELinux user cannot execute "service xxx status" or "service xxx restart" commands, as shown in the examples below:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[sysadm@vm-confined79 ~]$ service network status
env: /etc/init.d/network: Permission denied
[sysadm@vm-confined79 ~]$ service rhnsd status
env: /etc/init.d/rhnsd: Permission denied
[sysadm@vm-confined79 ~]$ service rhnsd restart
env: /etc/init.d/rhnsd: Permission denied
[sysadm@vm-confined79 ~]$ service network restart
env: /etc/init.d/network: Permission denied
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The root cause is missing rules to allow the transition to initrc_t to happen when "service" internally executes /etc/rc.d/init.d/xxx script.


Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-268.el7_9.2.noarch


How reproducible:

Always

Steps to Reproduce:
1. Map a user to sysadm_u
2. Try executing "service xxx status" commands (see description above)

Actual results:

AVC:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=AVC msg=audit(1641968146.839:743): avc:  denied  { entrypoint } for  pid=5391 comm="env" path="/etc/rc.d/init.d/network" dev="dm-0" ino=17429529 scontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file permissive=0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


Expected results:

No AVC and proper execution


Additional info:

Note that "service xxx status" can be different than "systemctl status xxx" for SysV initscripts: it's SysV initscript implementation dependent, e.g. "service network status" output is different than "systemctl status network".
Hence using "systemctl status xxx" cannot be considered as a workaround.

The solution seems to allow the transition through adding the below rule:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
init_all_labeled_script_domtrans(sysadm_t)
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Please CONFIRM this is safe and the proper way to allow execution.

Comment 3 Zdenek Pytela 2022-07-08 15:54:37 UTC

Red Hat Enterprise Linux 7 shipped its final minor release on September 29th, 2020. RHEL 7.9 was the last scheduled minor release.
During Maintenance Support 2 Phase for Red Hat Enterprise Linux version 7, Red Hat defined Critical and Important impact Security Advisories (RHSAs) and selected (at Red Hat discretion) Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.
https://access.redhat.com/support/policy/updates/errata#Maintenance_Support_2_Phase

This BZ is being closed WONTFIX. Please re-open this request if it is critical for the customer and provide a thorough business justification.

As a workaround, the local policy module from comment#0 can be used.

Using this interface:
sysadm_t type will be allowed a transition to initrc_t on execution of any init_script_file_type script
if neither mls nor nnp/nosuid support is required.

Note You need to log in before you can comment on or make changes to this bug.