2039662 – Confined sysadm users cannot execute "service xxx status" command

Bug 2039662 - Confined sysadm users cannot execute "service xxx status" command

Summary: Confined sysadm users cannot execute "service xxx status" command

Keywords:
Status:	ASSIGNED
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.9
Assignee:	Zdenek Pytela
QA Contact:	Amith
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1778780
TreeView+	depends on / blocked

Reported:	2022-01-12 08:01 UTC by Renaud Métrich
Modified:	2023-08-11 18:09 UTC (History)
CC List:	2 users (show)
Fixed In Version:	selinux-policy-3.14.3-116.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1174	None	open	Allow sysadm user execute init scripts with a transition	2022-05-03 18:14:43 UTC
Github	fedora-selinux selinux-policy pull 1597	None	open	Allow sysadm_t run initrc_t script and role access	2023-02-09 17:05:55 UTC
Red Hat Issue Tracker	RHELPLAN-107533	None	None	None	2022-01-12 08:07:11 UTC

Description Renaud Métrich 2022-01-12 08:01:01 UTC

This bug was initially created as a copy of Bug #2039658

I am copying this bug because: 

Also applies to RHEL8

Description of problem:

Confined users mapped to sysadm_u SELinux user cannot execute "service xxx status" or "service xxx restart" commands, as shown in the examples below:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[sysadm@vm-confined8 ~]$ service foo status
env: /etc/init.d/foo: Permission denied
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The root cause is missing rules to allow the transition to initrc_t to happen when "service" internally executes /etc/rc.d/init.d/xxx script.
Note: on RHEL7 (BZ #2039658) adding a rule was sufficient to make this work (see the "Additional info" in the BZ), but it doesn't seem the case on RHEL8. 


Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-80.el8_5.2.noarch


How reproducible:

Always

Steps to Reproduce:
1. Map a user to sysadm_u

2. Create a SysV initscript /etc/rc.d/init.d/foo

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
#!/bin/sh
#
# foo: FOO SysV initscript
#
# chkconfig: 345 97 03

case "$1" in
start)
	echo "START called"
	;;
stop)
	echo "STOP called"
	;;
restart)
	echo "RESTART called"
	;;
status)
	echo "STATUS called"
	;;
reload)
	echo "RELOAD called"
	;;
*)
	exit 2
esac
exit 0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

3. Make it executable and a proper SysV initscript

# chmod +x /etc/rc.d/init.d/foo
# restorecon -Fv /etc/rc.d/init.d/foo

4. Try executing "service foo status" command

Actual results:

No AVC, but Permission denied
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
env: ‘/etc/init.d/foo’: Permission denied
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


Expected results:

Proper execution


Additional info:

SysV initscripts are still supposed to work fine on RHEL8, per /etc/rc.d/init.d/README note.

Note that "service xxx status" can be different than "systemctl status xxx" for SysV initscripts: it's SysV initscript implementation dependent, e.g. "service network status" output is different than "systemctl status network".
Hence using "systemctl status xxx" cannot be considered as a workaround.

Comment 1 Milos Malik 2022-01-20 12:45:56 UTC

Following SELinux denial appeared in enforcing mode:
----
type=PROCTITLE msg=audit(01/20/2022 07:43:25.363:384) : proctitle=env -i PATH=/sbin:/usr/sbin:/bin:/usr/bin TERM=xterm-256color SYSTEMCTL_IGNORE_DEPENDENCIES= SYSTEMCTL_SKIP_REDIRECT= /etc/init. 
type=PATH msg=audit(01/20/2022 07:43:25.363:384) : item=0 name=/etc/init.d/foo inode=2346349 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:initrc_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/20/2022 07:43:25.363:384) : cwd=/ 
type=SYSCALL msg=audit(01/20/2022 07:43:25.363:384) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x7ffd7cce359b a1=0x7ffd7cce1a28 a2=0x56368373db60 a3=0x0 items=1 ppid=5461 pid=5468 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=pts1 ses=8 comm=env exe=/usr/bin/env subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) 
type=SELINUX_ERR msg=audit(01/20/2022 07:43:25.363:384) : op=security_compute_sid invalid_context=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=process 
----

Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(01/20/2022 07:44:15.913:387) : proctitle=/bin/sh /etc/init.d/foo status 
type=PATH msg=audit(01/20/2022 07:44:15.913:387) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=10111 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(01/20/2022 07:44:15.913:387) : item=1 name=/bin/sh inode=6292896 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(01/20/2022 07:44:15.913:387) : item=0 name=/etc/init.d/foo inode=2346349 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:initrc_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/20/2022 07:44:15.913:387) : cwd=/ 
type=EXECVE msg=audit(01/20/2022 07:44:15.913:387) : argc=3 a0=/bin/sh a1=/etc/init.d/foo a2=status 
type=SYSCALL msg=audit(01/20/2022 07:44:15.913:387) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7ffc115c659b a1=0x7ffc115c5dd8 a2=0x5653a985eb60 a3=0x0 items=3 ppid=5475 pid=5482 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=pts1 ses=8 comm=foo exe=/usr/bin/bash subj=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/20/2022 07:44:15.913:387) : avc:  denied  { entrypoint } for  pid=5482 comm=env path=/etc/rc.d/init.d/foo dev="vda1" ino=2346349 scontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=file permissive=1 
type=SELINUX_ERR msg=audit(01/20/2022 07:44:15.913:387) : op=security_compute_sid invalid_context=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_exec_t:s0 tclass=process 
----
type=PROCTITLE msg=audit(01/20/2022 07:44:15.916:388) : proctitle=/bin/sh /etc/init.d/foo status 
type=SYSCALL msg=audit(01/20/2022 07:44:15.916:388) : arch=x86_64 syscall=socket success=yes exit=3 a0=local a1=SOCK_STREAM a2=ip a3=0x6 items=0 ppid=5475 pid=5482 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=pts1 ses=8 comm=foo exe=/usr/bin/bash subj=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 key=(null) 
type=SELINUX_ERR msg=audit(01/20/2022 07:44:15.916:388) : op=security_compute_sid invalid_context=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 scontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tcontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tclass=unix_stream_socket 
type=SELINUX_ERR msg=audit(01/20/2022 07:44:15.916:388) : op=security_compute_sid invalid_context=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 scontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tcontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tclass=unix_stream_socket 
----
type=PROCTITLE msg=audit(01/20/2022 07:44:15.917:389) : proctitle=/bin/sh /etc/init.d/foo status 
type=SYSCALL msg=audit(01/20/2022 07:44:15.917:389) : arch=x86_64 syscall=socket success=yes exit=3 a0=local a1=SOCK_STREAM a2=ip a3=0x6 items=0 ppid=5475 pid=5482 auid=sysadm-user uid=sysadm-user gid=sysadm-user euid=sysadm-user suid=sysadm-user fsuid=sysadm-user egid=sysadm-user sgid=sysadm-user fsgid=sysadm-user tty=pts1 ses=8 comm=foo exe=/usr/bin/bash subj=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 key=(null) 
type=SELINUX_ERR msg=audit(01/20/2022 07:44:15.917:389) : op=security_compute_sid invalid_context=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 scontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tcontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tclass=unix_stream_socket 
type=SELINUX_ERR msg=audit(01/20/2022 07:44:15.917:389) : op=security_compute_sid invalid_context=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 scontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tcontext=sysadm_u:system_r:sysadm_t:s0-s0:c0.c1023 tclass=unix_stream_socket 
----

# rpm -qa selinux\* initscripts\* | sort
initscripts-10.00.15-1.el8.x86_64
selinux-policy-3.14.3-86.el8.noarch
selinux-policy-targeted-3.14.3-86.el8.noarch
#

Comment 2 Zdenek Pytela 2022-02-16 18:59:47 UTC

No substantial progress has been made in resolving this bz in time for RHEL 8.6, so it will be evaluated for inclusion into the next minor product update.
If you still want to pursue this issue further, please attach information regarding severity of the bugzilla.

Comment 3 Zdenek Pytela 2022-05-04 06:44:20 UTC

Commit to backport:
commit 5c0cd593245fb0c20f73213406abd1d0352f8c0a (HEAD -> rawhide, upstream/rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date:   Tue May 3 20:12:22 2022 +0200

    Allow sysadm user execute init scripts with a transition

Note You need to log in before you can comment on or make changes to this bug.