2049018 – sysadm_passwd_t requires to execute sss_cache

Bug 2049018 - sysadm_passwd_t requires to execute sss_cache

Summary: sysadm_passwd_t requires to execute sss_cache

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	36
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Patrik Koncity
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1767779 2053457 2053458
TreeView+	depends on / blocked

Reported:	2022-02-01 10:44 UTC by Zdenek Pytela
Modified:	2022-02-18 07:45 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Clones:	2053457 2053458 (view as bug list)
Environment:
Last Closed:	2022-02-14 11:23:04 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1046	0	None	Merged	Allow confined sysadmin to use tool vipw and vigr	2022-02-11 13:44:23 UTC

Internal Links: 2050952

Description Zdenek Pytela 2022-02-01 10:44:22 UTC

Description of problem:
After applying the fix for bz#2022690, vipw starts to require to execute /usr/sbin/sss_cache

Version-Release number of selected component (if applicable):
selinux-policy-35.12-1.20220131_142255.f469c48.fc36.noarch
sssd-common-2.6.2-2.fc36.x86_64

How reproducible:
always

Steps to Reproduce:
1. Use a confined sysadmin to run vipw

Actual results:

----
type=PROCTITLE msg=audit(02/01/2022 05:20:45.848:1328) : proctitle=vipw -s
type=PATH msg=audit(02/01/2022 05:20:45.848:1328) : item=0 name=/usr/sbin/sss_cache inode=150667 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/01/2022 05:20:45.848:1328) : cwd=/root
type=SYSCALL msg=audit(02/01/2022 05:20:45.848:1328) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x55d0c02258f3 a1=0x7fff6d6b0970 a2=0x7fff6d6b0968 a3=0x7f7d3e76c088 items=1 ppid=5683 pid=5688 auid=staff uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=5 comm=vipw exe=/usr/sbin/vipw subj=staff_u:sysadm_r:sysadm_passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/01/2022 05:20:45.848:1328) : avc:  denied  { execute } for  pid=5688 comm=vipw name=sss_cache dev="vda1" ino=150667 scontext=staff_u:sysadm_r:sysadm_passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_exec_t:s0 tclass=file permissive=0
[root@ci-vm-10-0-138-143 ~]#

Expected results:


Additional info:

Comment 1 Patrik Koncity 2022-02-03 14:36:56 UTC

After using 

$ sudo -r sysadm_r vipw 
or
$ sudo -r sysadm_r vipw -s

for sysadm user see only this AVC's.

time->Thu Feb  3 09:34:06 2022
type=AVC msg=audit(1643898846.007:779): avc:  denied  { read } for  pid=2466 comm="vim" name=".viminfo" dev="vda1" ino=6741 scontext=sysadm_u:sysadm_r:sysadm_passwd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Thu Feb  3 09:34:06 2022
type=AVC msg=audit(1643898846.010:780): avc:  denied  { read } for  pid=2466 comm="vim" name=".viminfo" dev="vda1" ino=6741 scontext=sysadm_u:sysadm_r:sysadm_passwd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Thu Feb  3 09:34:07 2022
type=AVC msg=audit(1643898847.857:781): avc:  denied  { read } for  pid=2466 comm="vim" name=".viminfo" dev="vda1" ino=6741 scontext=sysadm_u:sysadm_r:sysadm_passwd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Thu Feb  3 09:34:12 2022
type=AVC msg=audit(1643898852.660:789): avc:  denied  { read } for  pid=2471 comm="vim" name=".viminfo" dev="vda1" ino=6741 scontext=sysadm_u:sysadm_r:sysadm_passwd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Thu Feb  3 09:34:12 2022
type=AVC msg=audit(1643898852.661:790): avc:  denied  { read } for  pid=2471 comm="vim" name=".viminfo" dev="vda1" ino=6741 scontext=sysadm_u:sysadm_r:sysadm_passwd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
time->Thu Feb  3 09:34:17 2022
type=AVC msg=audit(1643898857.352:791): avc:  denied  { read } for  pid=2471 comm="vim" name=".viminfo" dev="vda1" ino=6741 scontext=sysadm_u:sysadm_r:sysadm_passwd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0


I didn't find any AVC's related with sss_cache.

Comment 2 Zdenek Pytela 2022-02-03 14:50:31 UTC

This is my vm, clear installation without any modifications but creating staff user:

f35# vipw
You have modified /etc/passwd.
You may need to modify /etc/shadow for consistency.
Please use the command 'vipw -s' to do so.
vipw: cannot execute /usr/sbin/sss_cache: Permission denied
f35# id
uid=0(root) gid=0(root) groups=0(root) context=staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
f35# ls -lZ /usr/sbin/sss_cache
-rwxr-xr-x. 1 root root system_u:object_r:sssd_exec_t:s0 36656 Jan 25 07:03 /usr/sbin/sss_cache
 
----
type=PROCTITLE msg=audit(02/03/2022 09:48:44.206:981) : proctitle=vim /etc/passwd.edit 
type=PATH msg=audit(02/03/2022 09:48:44.206:981) : item=0 name=/root/.viminfo inode=99352 dev=00:1f mode=file,600 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:admin_home_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(02/03/2022 09:48:44.206:981) : cwd=/root 
type=SYSCALL msg=audit(02/03/2022 09:48:44.206:981) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55626a7564d0 a2=O_RDONLY a3=0x0 items=1 ppid=59440 pid=59441 auid=unknown(1001) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=6 comm=vim exe=/usr/bin/vim subj=staff_u:sysadm_r:sysadm_passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/03/2022 09:48:44.206:981) : avc:  denied  { read } for  pid=59441 comm=vim name=.viminfo dev="sda2" ino=99352 scontext=staff_u:sysadm_r:sysadm_passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
----
type=AVC msg=audit(02/03/2022 09:48:44.207:982) : avc:  denied  { read } for  pid=59418 comm=auditd name=passwd dev="sda2" ino=99367 scontext=system_u:system_r:auditd_t:s0 tcontext=staff_u:object_r:shadow_t:s0 tclass=file permissive=0
----
type=PROCTITLE msg=audit(02/03/2022 09:48:44.211:983) : proctitle=vipw
type=PATH msg=audit(02/03/2022 09:48:44.211:983) : item=0 name=/usr/sbin/sss_cache inode=28430 dev=00:1f mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/03/2022 09:48:44.211:983) : cwd=/root
type=SYSCALL msg=audit(02/03/2022 09:48:44.211:983) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x559e63f658f3 a1=0x7ffe55a68750 a2=0x7ffe55a68748 a3=0x7fa19a0e7008 items=1 ppid=59439 pid=59452 auid=unknown(1001) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=6 comm=vipw exe=/usr/sbin/vipw subj=staff_u:sysadm_r:sysadm_passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/03/2022 09:48:44.211:983) : avc:  denied  { execute } for  pid=59452 comm=vipw name=sss_cache dev="sda2" ino=28430 scontext=staff_u:sysadm_r:sysadm_passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_exec_t:s0 tclass=file permissive=0
----

Comment 3 Patrik Koncity 2022-02-03 16:20:42 UTC

When I set permissive mod and modify files by vipw utility print also a new AVC's:  

----
time->Thu Feb  3 11:15:47 2022
type=AVC msg=audit(1643904947.716:694): avc:  denied  { read } for  pid=1133 comm="vim" name=".viminfo" dev="vda1" ino=6755 scontext=staff_u:sysadm_r:sysadm_passwd_t:s0 tcontext=staff_u:object_r:admin_home_t:s0 tclass=file permissive=1
----
time->Thu Feb  3 11:15:47 2022
type=AVC msg=audit(1643904947.717:695): avc:  denied  { open } for  pid=1133 comm="vim" path="/root/.viminfo" dev="vda1" ino=6755 scontext=staff_u:sysadm_r:sysadm_passwd_t:s0 tcontext=staff_u:object_r:admin_home_t:s0 tclass=file permissive=1
----
time->Thu Feb  3 11:15:52 2022
type=AVC msg=audit(1643904952.419:696): avc:  denied  { create } for  pid=1133 comm="vim" name=".viminfo.tmp" scontext=staff_u:sysadm_r:sysadm_passwd_t:s0 tcontext=staff_u:object_r:admin_home_t:s0 tclass=file permissive=1
----
time->Thu Feb  3 11:15:52 2022
type=AVC msg=audit(1643904952.420:697): avc:  denied  { write } for  pid=1133 comm="vim" path="/root/.viminfo.tmp" dev="vda1" ino=6764 scontext=staff_u:sysadm_r:sysadm_passwd_t:s0 tcontext=staff_u:object_r:admin_home_t:s0 tclass=file permissive=1
----
time->Thu Feb  3 11:15:52 2022
type=AVC msg=audit(1643904952.421:698): avc:  denied  { unlink } for  pid=1133 comm="vim" name=".viminfo" dev="vda1" ino=6755 scontext=staff_u:sysadm_r:sysadm_passwd_t:s0 tcontext=staff_u:object_r:admin_home_t:s0 tclass=file permissive=1
----
time->Thu Feb  3 11:15:52 2022
type=AVC msg=audit(1643904952.422:699): avc:  denied  { rename } for  pid=1133 comm="vim" name=".viminfo.tmp" dev="vda1" ino=6764 scontext=staff_u:sysadm_r:sysadm_passwd_t:s0 tcontext=staff_u:object_r:admin_home_t:s0 tclass=file permissive=1

Comment 4 Ben Cotton 2022-02-08 20:17:17 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 36 development cycle.
Changing version to 36.

Comment 5 Patrik Koncity 2022-02-09 15:55:10 UTC

PR: https://github.com/fedora-selinux/selinux-policy/pull/1046

Note You need to log in before you can comment on or make changes to this bug.