2123260 – SELinux prevents confined users (staff_u, sysadm_u) from successfully running vlock

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2123260 - SELinux prevents confined users (staff_u, sysadm_u) from successfully running vlock

Summary: SELinux prevents confined users (staff_u, sysadm_u) from successfully running...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Deadline:	2022-11-22
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	9.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	9.2
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-09-01 09:13 UTC by Milos Malik
Modified:	2023-05-09 10:20 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:	2122838
Environment:
Last Closed:	2023-05-09 08:16:32 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1437	None	open	Allow vlock search the contents of the /dev/pts directory	2022-10-11 08:01:05 UTC
Red Hat Issue Tracker	RHELPLAN-132955	None	None	None	2022-09-01 09:38:43 UTC
Red Hat Product Errata	RHBA-2023:2483	None	None	None	2023-05-09 08:16:51 UTC

Description Milos Malik 2022-09-01 09:13:10 UTC

+++ This bug was initially created as a clone of Bug #2122838 +++

Description of problem:

SELinux confined users staff_u, sysadm_u cannot run vlock successfully.

Version-Release number of selected component (if applicable):
kbd-2.4.0-8.el9.x86_64
kbd-misc-2.4.0-8.el9.noarch
selinux-policy-34.1.42-1.el9.noarch
selinux-policy-devel-34.1.42-1.el9.noarch
selinux-policy-doc-34.1.42-1.el9.noarch
selinux-policy-mls-34.1.42-1.el9.noarch
selinux-policy-targeted-34.1.42-1.el9.noarch

How reproducible: Always

Steps to Reproduce:
1. Configure sudo to run in sysadm_r

    Edit /etc/sudoers
    ~~~
    %wheel  ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t NOPASSWD: ALL
    ~~~

2. Create a SELinux confined user.
    
    ~~~
    useradd -C 'Test confined user' --selinux-user test-staff
    passwd test-staff XXXXXX
    ~~~

3. Log into test-staff

4a. Run vlock as test-staff, OR

    ~~~
    $ vlock
    ~~~

4b. Run vlock via sudo

    ~~~
    $ sudo vlock
    ~~`

Actual results:

    ~~~
    [test-staff@rhel9-minimal ~]$ vlock
    vlock: stdin is not a tty[test-staff@rhel9-minimal ~]
    ~~~

    OR

    ~~~
    [test-staff@rhel9-minimal ~]$ sudo vlock
    vlock: stdin is not a tty[test-staff@rhel9-minimal ~]$
    ~~~

Expected results:

    ~~~
    [dareynol@rhel9-minimal ~]$ vlock
    This tty (pts/0) is not a virtual console.


    The pts/0 is now locked by dareynol.
    Password:
    ~~~

    OR

    ~~~
    [dareynol@rhel9-minimal ~]$ sudo vlock
    This tty (pts/0) is not a virtual console.


    The pts/0 is now locked by root.
    Password:
    ~~~

Comment 1 Milos Malik 2022-09-01 09:22:30 UTC

SELinux denials caught in enforcing mode after removal of dontaudit rules:
----
type=PROCTITLE msg=audit(09/01/2022 11:07:50.940:572) : proctitle=vlock 
type=PATH msg=audit(09/01/2022 11:07:50.940:572) : item=0 name=/dev/pts/0 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/01/2022 11:07:50.940:572) : cwd=/home/staff-user 
type=SYSCALL msg=audit(09/01/2022 11:07:50.940:572) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x556028a0f5a0 a2=0x7ffd68c392e0 a3=0x0 items=1 ppid=4605 pid=6150 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=pts0 ses=5 comm=vlock exe=/usr/bin/vlock subj=staff_u:staff_r:vlock_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/01/2022 11:07:50.940:572) : avc:  denied  { search } for  pid=6150 comm=vlock name=/ dev="devpts" ino=1 scontext=staff_u:staff_r:vlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devpts_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(09/01/2022 11:07:50.940:573) : proctitle=vlock 
type=PATH msg=audit(09/01/2022 11:07:50.940:573) : item=0 name=/dev/pts/ inode=1 dev=00:18 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:devpts_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(09/01/2022 11:07:50.940:573) : cwd=/home/staff-user 
type=SYSCALL msg=audit(09/01/2022 11:07:50.940:573) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x556028a0f5a0 a2=0x7ffd68c392e0 a3=0x0 items=1 ppid=4605 pid=6150 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=pts0 ses=5 comm=vlock exe=/usr/bin/vlock subj=staff_u:staff_r:vlock_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/01/2022 11:07:50.940:573) : avc:  denied  { getattr } for  pid=6150 comm=vlock path=/dev/pts dev="devpts" ino=1 scontext=staff_u:staff_r:vlock_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devpts_t:s0 tclass=dir permissive=0 
----

The following policy module solved the problem on my VM:

# cat mypolicy.cil 
( allow vlock_t devpts_t ( dir ( getattr search )))
# semodule -i mypolicy.cil
#

The following policy rules (generated by audit2allow from the ausearch output) are not necessary for running the vlock command successfully:

#============= vlock_t ==============
allow vlock_t apm_bios_t:chr_file getattr;
allow vlock_t autofs_device_t:chr_file getattr;
allow vlock_t cachefiles_device_t:chr_file getattr;
allow vlock_t clock_device_t:chr_file getattr;
allow vlock_t dma_device_t:chr_file getattr;
allow vlock_t event_device_t:chr_file getattr;
allow vlock_t fixed_disk_device_t:blk_file getattr;
allow vlock_t framebuf_device_t:chr_file getattr;
allow vlock_t fuse_device_t:chr_file getattr;
allow vlock_t gpmctl_t:sock_file getattr;
allow vlock_t hugetlbfs_t:dir getattr;
allow vlock_t initctl_t:fifo_file getattr;
allow vlock_t kmsg_device_t:chr_file getattr;
allow vlock_t kvm_device_t:chr_file getattr;
allow vlock_t loop_control_device_t:chr_file getattr;
allow vlock_t memory_device_t:chr_file getattr;
allow vlock_t netcontrol_device_t:chr_file getattr;
allow vlock_t nvram_device_t:chr_file getattr;
allow vlock_t ppp_device_t:chr_file getattr;
allow vlock_t printer_device_t:chr_file getattr;
allow vlock_t proc_kcore_t:file getattr;
allow vlock_t ptmx_t:chr_file getattr;
allow vlock_t tty_device_t:chr_file getattr;
allow vlock_t uhid_device_t:chr_file getattr;
allow vlock_t usbmon_device_t:chr_file getattr;
allow vlock_t vhost_device_t:chr_file getattr;
allow vlock_t virtio_device_t:chr_file getattr;
allow vlock_t watchdog_device_t:chr_file getattr;
allow vlock_t wireless_device_t:chr_file getattr;
allow vlock_t xserver_misc_device_t:chr_file getattr;

Comment 4 Zdenek Pytela 2022-11-25 09:48:04 UTC

Resolved with the rebase:
rhel92# sesearch -A -s vlock_t -t devpts_t -c dir -p search
allow vlock_t devpts_t:dir { getattr open search };

Comment 13 errata-xmlrpc 2023-05-09 08:16:32 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2483

Note You need to log in before you can comment on or make changes to this bug.