1. Proposed title of this feature request polkit SELinux transitions 2. Who is the customer behind the request? Account: 1158984 - BAE Systems Australia Ltd TAM customer: no CSM customer: no Strategic: no 3. What is the nature and description of the request? When running a system that confines users to SELinux user staff_u, users performing probes from scap-workbench cause many AVC errors and probe fails. 4. Why does the customer need this? (List the business requirements here) To allow constrained 'staff_u' users to run probes from SCAP-workbench 5. How would the customer like to achieve this? (List the functional requirements here) Request is to provide a method for scap-workbench to perform probes by a constrained user staff_u by either: - Allow polkit to change SELinux context of new processes. - Introduce new SELinux domains for oscap and scap-workbench that allow constrained user staff_u to run probes. 6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented. a. Set up a SELinux constrained user 'staff_u'. b. Configure user to be an administrator (e.g. member of wheel). c. Install SCAP-workbench. d. Successfully run SCAP-workbench from menu, authenticate via polkit, and run a probe on local system without SELinux denials. 7. Is there already an existing RFE upstream or in Red Hat Bugzilla? No 8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL8, RHEL9)? No 9. Is the sales team involved in this request and do they have any additional input? No 10. List any affected packages or components. scap-workbench, selinux-policy polkit 11. Would the customer be able to assist in testing this functionality if implemented? Yes
Daniel, Can you describe which instructions were followed to get to this setup? From SELinux perspective the problem is that a Linux user in the staff_r role is a SELinux confined user, while a SELinux confined administrator rather has the sysadm_r role (and a few dedicated ones which probably do not apply here). https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/managing-confined-and-unconfined-users_using-selinux
Hello Zdenek Re > Can you describe which instructions were followed to get to this setup? 1. Cu has started to migrate users to staff_u. 2. To run administrative commands they use the following configuration Users assigned to 'wheel' group. The following configuration in /etc/sudoers to allow the transition; staff_r -> sysadm_t. ~~~ %wheel_sysadm ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_r ALL ~~~ 3. Works for most administrative functions. 4. Using scap-workbench from GUI. scap-workbench does not use 'sudo' for privilege escalation to root, uses polkit. polkit does not perform transition from staff_r -> sysadm_r. polkit probe runs as staff_r instead of sysadm_r. Most of the probe fails with AVC denials despite running as root. 5. As a work around, user is running scap-workbench via sudo. Regards.
Correction to above /etc/sudoers configuration is as follows ~~~ %wheel_sysadm ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t ALL ~~~
Hi Daniel, can you please attach AVC messages? Thanks Nikola
Supplied AVC as requested. See above.
PR: https://github.com/fedora-selinux/selinux-policy/pull/1708
Commit to bckport: 3d4190dbd (HEAD -> rawhide, upstream/rawhide) Add list_dir_perms to kerberos_read_keytab