RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2112729 - Confined SELinux user 'staff_u' cannot run probes from scap-workbench if privilege escalation performed by polkit
Summary: Confined SELinux user 'staff_u' cannot run probes from scap-workbench if priv...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: selinux-policy
Version: unspecified
Hardware: Unspecified
OS: Linux
low
low
Target Milestone: rc
: 9.3
Assignee: Zdenek Pytela
QA Contact: Milos Malik
Petr Hybl
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-08-01 01:28 UTC by Daniel Reynolds
Modified: 2023-11-07 11:22 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-38.1.16-1.el9
Doc Type: Bug Fix
Doc Text:
.Users in the `staff_r` SELinux role can now run `scap_workbench` probes Previously, the `selinux-policy` packages did not contain rules for users in the `staff_r` SELinux role required to run the `scap-workbench` utility. Consequently, `scap-workbench` probes failed when run by user in the `staff_r` SELinux role. With this update, the missing rules have been added to `selinux-policy`, and SELinux users can now run `scap_workbench` probes.
Clone Of:
Environment:
Last Closed: 2023-11-07 08:52:15 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-129738 0 None None None 2022-08-01 01:46:51 UTC
Red Hat Product Errata RHBA-2023:6617 0 None None None 2023-11-07 08:52:31 UTC

Description Daniel Reynolds 2022-08-01 01:28:45 UTC 
1. Proposed title of this feature request

polkit SELinux transitions

2. Who is the customer behind the request?

Account: 1158984 - BAE Systems Australia Ltd
TAM customer: no
CSM customer: no
Strategic: no

3. What is the nature and description of the request?

When running a system that confines users to SELinux user staff_u, users performing probes from scap-workbench cause many AVC errors and probe fails.

4. Why does the customer need this? (List the business requirements here)

To allow constrained 'staff_u' users to run probes from SCAP-workbench

5. How would the customer like to achieve this? (List the functional requirements here)

Request is to provide a method for scap-workbench to perform probes by a constrained user staff_u by either:
- Allow polkit to change SELinux context of new processes.
- Introduce new SELinux domains for oscap and scap-workbench that allow constrained user staff_u to run probes.

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

a. Set up a SELinux constrained user 'staff_u'.
b. Configure user to be an administrator (e.g. member of wheel).
c. Install SCAP-workbench.
d. Successfully run SCAP-workbench from menu, authenticate via polkit, and run a probe on local system without SELinux denials.

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?

No

8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL8, RHEL9)?

No

9. Is the sales team involved in this request and do they have any additional input?

No

10. List any affected packages or components.

scap-workbench,
selinux-policy
polkit

11. Would the customer be able to assist in testing this functionality if implemented?

Yes
Comment 1 Zdenek Pytela 2022-08-05 19:09:25 UTC 
Daniel,

Can you describe which instructions were followed to get to this setup?

From SELinux perspective the problem is that a Linux user in the staff_r role is a SELinux confined user, while a SELinux confined administrator rather has the sysadm_r role (and a few dedicated ones which probably do not apply here).

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/managing-confined-and-unconfined-users_using-selinux
Comment 2 Daniel Reynolds 2022-08-08 03:57:20 UTC 
Hello Zdenek

Re

> Can you describe which instructions were followed to get to this setup?

1. Cu has started to migrate users to staff_u.

2. To run administrative commands they use the following configuration

    Users assigned to 'wheel' group.

    The following configuration in /etc/sudoers to allow the transition; staff_r -> sysadm_t.
    ~~~
    %wheel_sysadm  ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_r   ALL
    ~~~

3. Works for most administrative functions.

4. Using scap-workbench from GUI.

    scap-workbench does not use 'sudo' for privilege escalation to root, uses polkit.

    polkit does not perform transition from staff_r -> sysadm_r.

    polkit probe runs as staff_r instead of sysadm_r.  Most of the probe fails with AVC denials despite running as root.

5. As a work around, user is running scap-workbench via sudo.


Regards.
Comment 3 Daniel Reynolds 2022-08-08 03:58:39 UTC 
Correction to above

/etc/sudoers configuration is as follows

~~~
%wheel_sysadm  ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t   ALL
~~~
Comment 4 Nikola Knazekova 2022-09-02 06:00:59 UTC 
Hi Daniel,

can you please attach AVC messages? 

Thanks

Nikola
Comment 10 Daniel Reynolds 2022-09-09 04:37:06 UTC 
Supplied AVC as requested.  See above.
Comment 27 Nikola Knazekova 2023-06-14 14:22:51 UTC 
PR: https://github.com/fedora-selinux/selinux-policy/pull/1708
Comment 29 Zdenek Pytela 2023-06-23 09:33:57 UTC 
Commit to bckport:
3d4190dbd (HEAD -> rawhide, upstream/rawhide) Add list_dir_perms to kerberos_read_keytab
Comment 43 errata-xmlrpc 2023-11-07 08:52:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6617
Note You need to log in before you can comment on or make changes to this bug.