2039662 – Confined sysadm users cannot execute "service xxx status" command

This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2039662 - Confined sysadm users cannot execute "service xxx status" command

Summary: Confined sysadm users cannot execute "service xxx status" command

Keywords:
Status:	CLOSED MIGRATED
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.9
Assignee:	Zdenek Pytela
QA Contact:	Amith
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1778780
TreeView+	depends on / blocked

Reported:	2022-01-12 08:01 UTC by Renaud Métrich
Modified:	2023-09-01 13:00 UTC (History)
CC List:	2 users (show)
Fixed In Version:	selinux-policy-3.14.3-116.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-09-01 13:00:39 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1174	None	open	Allow sysadm user execute init scripts with a transition	2022-05-03 18:14:43 UTC
Github	fedora-selinux selinux-policy pull 1597	None	open	Allow sysadm_t run initrc_t script and role access	2023-02-09 17:05:55 UTC
Red Hat Issue Tracker	RHEL-1953	None	Migrated	None	2023-09-01 13:00:37 UTC
Red Hat Issue Tracker	RHELPLAN-107533	None	None	None	2022-01-12 08:07:11 UTC

Description Renaud Métrich 2022-01-12 08:01:01 UTC

This bug was initially created as a copy of Bug #2039658

I am copying this bug because: 

Also applies to RHEL8

Description of problem:

Confined users mapped to sysadm_u SELinux user cannot execute "service xxx status" or "service xxx restart" commands, as shown in the examples below:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[sysadm@vm-confined8 ~]$ service foo status
env: /etc/init.d/foo: Permission denied
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The root cause is missing rules to allow the transition to initrc_t to happen when "service" internally executes /etc/rc.d/init.d/xxx script.
Note: on RHEL7 (BZ #2039658) adding a rule was sufficient to make this work (see the "Additional info" in the BZ), but it doesn't seem the case on RHEL8. 


Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-80.el8_5.2.noarch


How reproducible:

Always

Steps to Reproduce:
1. Map a user to sysadm_u

2. Create a SysV initscript /etc/rc.d/init.d/foo

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
#!/bin/sh
#
# foo: FOO SysV initscript
#
# chkconfig: 345 97 03

case "$1" in
start)
	echo "START called"
	;;
stop)
	echo "STOP called"
	;;
restart)
	echo "RESTART called"
	;;
status)
	echo "STATUS called"
	;;
reload)
	echo "RELOAD called"
	;;
*)
	exit 2
esac
exit 0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

3. Make it executable and a proper SysV initscript

# chmod +x /etc/rc.d/init.d/foo
# restorecon -Fv /etc/rc.d/init.d/foo

4. Try executing "service foo status" command

Actual results:

No AVC, but Permission denied
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
env: ‘/etc/init.d/foo’: Permission denied
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


Expected results:

Proper execution


Additional info:

SysV initscripts are still supposed to work fine on RHEL8, per /etc/rc.d/init.d/README note.

Note that "service xxx status" can be different than "systemctl status xxx" for SysV initscripts: it's SysV initscript implementation dependent, e.g. "service network status" output is different than "systemctl status network".
Hence using "systemctl status xxx" cannot be considered as a workaround.

Comment 1 Milos Malik 2022-01-20 12:45:56 UTC

Following SELinux denial appeared in enforcing mode:
----
type=PROCTITLE msg=audit(01/20/2022 07:43:25.363:384) : proctitle=env -i PATH=/sbin:/usr/sbin:/bin:/usr/bin TERM=xterm-256color SYSTEMCTL_IGNORE_DEPENDENCIES= SYSTEMCTL_SKIP_REDIRECT= /etc/init. 
type=PATH msg=audit(01/20/2022 07:43:25.363:384) : item=0 name=/etc/init.d/foo inode=2346349 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:initrc_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/20/2022 07:43:25.363:384) : cwd=/ 
type=SYSCALL msg=audit(01/20/2022 07:43:25.363:384) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x7ffd7cce359b a1=0x7ffd7cce1a28 a2=0x56368373db60 a3=0x0 items=1 ppid=5461 pid=5468 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=pts1 ses=8 comm=env exe=/usr/bin/env subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) 
type=SELINUX_ERR msg=audit(01/20/2022 07:43:25.363:384) : op=security_compute_sid invalid_context=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=process 
----

Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(01/20/2022 07:44:15.913:387) : proctitle=/bin/sh /etc/init.d/foo status 
type=PATH msg=audit(01/20/2022 07:44:15.913:387) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=10111 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(01/20/2022 07:44:15.913:387) : item=1 name=/bin/sh inode=6292896 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(01/20/2022 07:44:15.913:387) : item=0 name=/etc/init.d/foo inode=2346349 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:initrc_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/20/2022 07:44:15.913:387) : cwd=/ 
type=EXECVE msg=audit(01/20/2022 07:44:15.913:387) : argc=3 a0=/bin/sh a1=/etc/init.d/foo a2=status 
type=SYSCALL msg=audit(01/20/2022 07:44:15.913:387) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7ffc115c659b a1=0x7ffc115c5dd8 a2=0x5653a985eb60 a3=0x0 items=3 ppid=5475 pid=5482 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=pts1 ses=8 comm=foo exe=/usr/bin/bash subj=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/20/2022 07:44:15.913:387) : avc:  denied  { entrypoint } for  pid=5482 comm=env path=/etc/rc.d/init.d/foo dev="vda1" ino=2346349 scontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file permissive=1 
type=SELINUX_ERR msg=audit(01/20/2022 07:44:15.913:387) : op=security_compute_sid invalid_context=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=process 
----
type=PROCTITLE msg=audit(01/20/2022 07:44:15.916:388) : proctitle=/bin/sh /etc/init.d/foo status 
type=SYSCALL msg=audit(01/20/2022 07:44:15.916:388) : arch=x86_64 syscall=socket success=yes exit=3 a0=local a1=SOCK_STREAM a2=ip a3=0x6 items=0 ppid=5475 pid=5482 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=pts1 ses=8 comm=foo exe=/usr/bin/bash subj=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 key=(null) 
type=SELINUX_ERR msg=audit(01/20/2022 07:44:15.916:388) : op=security_compute_sid invalid_context=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 scontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tcontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tclass=unix_stream_socket 
type=SELINUX_ERR msg=audit(01/20/2022 07:44:15.916:388) : op=security_compute_sid invalid_context=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 scontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tcontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tclass=unix_stream_socket 
----
type=PROCTITLE msg=audit(01/20/2022 07:44:15.917:389) : proctitle=/bin/sh /etc/init.d/foo status 
type=SYSCALL msg=audit(01/20/2022 07:44:15.917:389) : arch=x86_64 syscall=socket success=yes exit=3 a0=local a1=SOCK_STREAM a2=ip a3=0x6 items=0 ppid=5475 pid=5482 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=pts1 ses=8 comm=foo exe=/usr/bin/bash subj=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 key=(null) 
type=SELINUX_ERR msg=audit(01/20/2022 07:44:15.917:389) : op=security_compute_sid invalid_context=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 scontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tcontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tclass=unix_stream_socket 
type=SELINUX_ERR msg=audit(01/20/2022 07:44:15.917:389) : op=security_compute_sid invalid_context=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 scontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tcontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tclass=unix_stream_socket 
----

# rpm -qa selinux\* initscripts\* | sort
initscripts-10.00.15-1.el8.x86_64
selinux-policy-3.14.3-86.el8.noarch
selinux-policy-targeted-3.14.3-86.el8.noarch
#

Comment 2 Zdenek Pytela 2022-02-16 18:59:47 UTC

No substantial progress has been made in resolving this bz in time for RHEL 8.6, so it will be evaluated for inclusion into the next minor product update.
If you still want to pursue this issue further, please attach information regarding severity of the bugzilla.

Comment 3 Zdenek Pytela 2022-05-04 06:44:20 UTC

Commit to backport:
commit 5c0cd593245fb0c20f73213406abd1d0352f8c0a (HEAD -> rawhide, upstream/rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date:   Tue May 3 20:12:22 2022 +0200

    Allow sysadm user execute init scripts with a transition

Comment 23 RHEL Program Management 2023-09-01 12:58:10 UTC

Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.

Comment 24 RHEL Program Management 2023-09-01 13:00:39 UTC

This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues.

Users watching this BZ may not be automatically added to the Jira ticket.  Be sure to add yourself to the Watchers field in the Jira issue if you desire to continue following this issue.

Note You need to log in before you can comment on or make changes to this bug.