2136189 – Confined user sudo'ing with sysadm_r role sees journalctl AVCs

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2136189 - Confined user sudo'ing with sysadm_r role sees journalctl AVCs

Summary: Confined user sudo'ing with sysadm_r role sees journalctl AVCs

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.6
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.8
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2153782
TreeView+	depends on / blocked

Reported:	2022-10-19 14:41 UTC by Renaud Métrich
Modified:	2023-05-16 11:02 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-3.14.3-116.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Clones:	2153782 (view as bug list)
Environment:
Last Closed:	2023-05-16 09:04:17 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1588	None	Merged	Add journalctl the sys_resource capability	2023-02-09 17:08:59 UTC
Red Hat Issue Tracker	RHELPLAN-137049	None	None	None	2022-10-19 14:47:58 UTC
Red Hat Product Errata	RHBA-2023:2965	None	None	None	2023-05-16 09:04:37 UTC

Description Renaud Métrich 2022-10-19 14:41:25 UTC

Description of problem:

When becoming root from staff_u to staff_u:sysadm_r:sysadm_t (thanks to usual rule on %wheel group), the admin gets harmless AVCs related to the journal when executing journalctl command:
~~~
# ausearch -m avc,user_avc -ts recent
----
time->Wed Oct 19 16:31:06 2022
type=USER_AVC msg=audit(1666189866.541:220): pid=1081 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=2)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Wed Oct 19 16:31:53 2022
type=SYSCALL msg=audit(1666189913.115:242): arch=c000003e syscall=157 success=no exit=-1 a0=23 a1=8 a2=7f5c33123000 a3=0 items=0 ppid=5559 pid=5560 auid=1005 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=17 comm="(pager)" exe="/usr/bin/journalctl" subj=staff_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1666189913.115:242): avc:  denied  { sys_resource } for  pid=5560 comm="(pager)" capability=24  scontext=staff_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tclass=capability permissive=0
----
time->Wed Oct 19 16:31:53 2022
type=SYSCALL msg=audit(1666189913.117:243): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5567cbc49350 a2=0 a3=0 items=0 ppid=5559 pid=5560 auid=1005 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=17 comm="less" exe="/usr/bin/less" subj=staff_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1666189913.117:243): avc:  denied  { read } for  pid=5560 comm="less" name=".lesshst" dev="dm-0" ino=33588461 scontext=staff_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
~~~

The root cause for this is journalctl executes in "journalctl_t" context due to the transition:
~~~
# sesearch -T -t journalctl_exec_t
type_transition staff_t journalctl_exec_t:process journalctl_t;
type_transition sysadm_t journalctl_exec_t:process journalctl_t;
type_transition user_t journalctl_exec_t:process journalctl_t;
~~~

Then the journalctl process spawns "less" which runs in the journalctl context as well, the later trying to read then modify resource limits ("setrlimit" AVC is seen later on while in Permissive).
Additionally "less" tries to read /root/.lesshst file which is labeled with admin_home_t, but there is no rule for this either.
We need to allow this.

Custom policy rules missing:
~~~
allow journalctl_t self:capability sys_resource;
allow journalctl_t self:process setrlimit;
allow journalctl_t admin_home_t:file {ioctl read write getattr lock append open};
~~~

Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-95.el8_6.4.noarch
Also seen on RHEL7.

How reproducible:

Always

Steps to Reproduce:
1. Create a user mapped to staff_u in %wheel group

    # useradd -Z staff_u staff
    # echo redhat | passwd --stdin staff

2. Login as the user and sudo

    $ sudo -r sysadm_r -i
    # journalctl

Actual results:

AVCs above + "setrlimit" AVC when being Permissive:
~~~
time->Wed Oct 19 16:25:59 2022
type=PROCTITLE msg=audit(1666189559.514:349): proctitle="journalctl"
type=SYSCALL msg=audit(1666189559.514:349): arch=c000003e syscall=160 success=no exit=-13 a0=7 a1=7ffc27e181b0 a2=0 a3=8 items=0 ppid=2127 pid=2159 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=8 comm="journalctl" exe="/usr/bin/journalctl" subj=staff_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1666189559.514:349): avc:  denied  { setrlimit } for  pid=2159 comm="journalctl" scontext=staff_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tclass=process permissive=0
~~~

Expected results:

No AVC

Comment 1 Renaud Métrich 2022-10-21 08:43:26 UTC

The issue happens when "journalctl" tries to change the limit for NOFILE:
~~~
1571  [journalctl_t] 10:22:54.471536 setrlimit(RLIMIT_NOFILE, {rlim_cur=16*1024, rlim_max=16*1024}) = -1 EPERM (Operation not permitted) <0.000009>
~~~

But the issue is seen only when we are "root". This is because "setrlimit()" fails earlier when being the user, from "trace-cmd" output:

- as staff user

~~~
      journalctl-1861  [000]   870.439735: funcgraph_entry:                   |  SyS_setrlimit() {
      journalctl-1861  [000]   870.439744: funcgraph_entry:                   |    __check_object_size() {
      journalctl-1861  [000]   870.439744: funcgraph_entry:        0.038 us   |      static_key_enabled();
      journalctl-1861  [000]   870.439744: funcgraph_entry:        0.046 us   |      __virt_addr_valid();
      journalctl-1861  [000]   870.439745: funcgraph_entry:        0.047 us   |      check_stack_object();
      journalctl-1861  [000]   870.439745: funcgraph_exit:         1.035 us   |    }
      journalctl-1861  [000]   870.439745: funcgraph_entry:                   |    do_prlimit() {
      journalctl-1861  [000]   870.439745: funcgraph_entry:                   |      tasklist_read_lock() {
      journalctl-1861  [000]   870.439746: funcgraph_entry:        0.080 us   |        _raw_qread_lock();
      journalctl-1861  [000]   870.439746: funcgraph_exit:         0.381 us   |      }
      journalctl-1861  [000]   870.439746: funcgraph_entry:        0.045 us   |      _raw_spin_lock();
      journalctl-1861  [000]   870.439747: funcgraph_entry:                   |      capable() {
      journalctl-1861  [000]   870.439747: funcgraph_entry:                   |        ns_capable() {
      journalctl-1861  [000]   870.439747: funcgraph_entry:                   |          security_capable() {
      journalctl-1861  [000]   870.439747: funcgraph_entry:                   |            selinux_capable() {
      journalctl-1861  [000]   870.439747: funcgraph_entry:        0.038 us   |              cap_capable();
      journalctl-1861  [000]   870.439748: funcgraph_exit:         0.343 us   |            }
      journalctl-1861  [000]   870.439748: funcgraph_exit:         0.725 us   |          }
      journalctl-1861  [000]   870.439748: funcgraph_exit:         1.093 us   |        }
      journalctl-1861  [000]   870.439748: funcgraph_exit:         1.441 us   |      }
      journalctl-1861  [000]   870.439748: funcgraph_exit:         2.820 us   |    }
      journalctl-1861  [000]   870.439748: funcgraph_exit:         4.642 us   |  }
~~~

- as root

~~~
      journalctl-1997  [001]  1212.941396: funcgraph_entry:                   |  SyS_setrlimit() {
      journalctl-1997  [001]  1212.941397: funcgraph_entry:                   |    __check_object_size() {
      journalctl-1997  [001]  1212.941397: funcgraph_entry:        0.040 us   |      static_key_enabled();
      journalctl-1997  [001]  1212.941398: funcgraph_entry:        0.045 us   |      __virt_addr_valid();
      journalctl-1997  [001]  1212.941398: funcgraph_entry:        0.037 us   |      check_stack_object();
      journalctl-1997  [001]  1212.941398: funcgraph_exit:         1.053 us   |    }
      journalctl-1997  [001]  1212.941398: funcgraph_entry:                   |    do_prlimit() {
      journalctl-1997  [001]  1212.941399: funcgraph_entry:                   |      tasklist_read_lock() {
      journalctl-1997  [001]  1212.941399: funcgraph_entry:        0.073 us   |        _raw_qread_lock();
      journalctl-1997  [001]  1212.941399: funcgraph_exit:         0.387 us   |      }
      journalctl-1997  [001]  1212.941399: funcgraph_entry:        0.038 us   |      _raw_spin_lock();
      journalctl-1997  [001]  1212.941400: funcgraph_entry:                   |      capable() {
      journalctl-1997  [001]  1212.941400: funcgraph_entry:                   |        ns_capable() {
      journalctl-1997  [001]  1212.941400: funcgraph_entry:                   |          security_capable() {
      journalctl-1997  [001]  1212.941400: funcgraph_entry:                   |            selinux_capable() {
      journalctl-1997  [001]  1212.941400: funcgraph_entry:        0.078 us   |              cap_capable();
      journalctl-1997  [001]  1212.941401: funcgraph_entry:                   |              cred_has_capability() {
      journalctl-1997  [001]  1212.941401: funcgraph_entry:        0.042 us   |                avc_denied.isra.5();
      journalctl-1997  [001]  1212.941402: funcgraph_entry:                   |                slow_avc_audit() {
      journalctl-1997  [001]  1212.941402: funcgraph_entry:                   |                  common_lsm_audit() {
      journalctl-1997  [001]  1212.941402: funcgraph_entry:                   |                    audit_log_start() {
      journalctl-1997  [001]  1212.941402: funcgraph_entry:        0.128 us   |                      audit_filter();
      journalctl-1997  [001]  1212.941403: funcgraph_entry:        0.037 us   |                      _raw_spin_lock_irqsave();
      journalctl-1997  [001]  1212.941403: funcgraph_entry:        0.045 us   |                      _raw_spin_unlock_irqrestore();
      journalctl-1997  [001]  1212.941404: funcgraph_entry:                   |                      __alloc_skb() {
      journalctl-1997  [001]  1212.941404: funcgraph_entry:        0.087 us   |                        kmem_cache_alloc_node();
      journalctl-1997  [001]  1212.941404: funcgraph_entry:                   |                        __kmalloc_reserve.isra.32() {
      journalctl-1997  [001]  1212.941404: funcgraph_entry:                   |                          __kmalloc_node_track_caller() {
      journalctl-1997  [001]  1212.941405: funcgraph_entry:        0.043 us   |                            kmalloc_slab();
      journalctl-1997  [001]  1212.941405: funcgraph_exit:         0.468 us   |                          }
      journalctl-1997  [001]  1212.941405: funcgraph_exit:         0.847 us   |                        }
      ...
~~~

Comment 3 Zdenek Pytela 2022-12-14 14:40:03 UTC

I don't see the setrlimit permission denial in current RHEL 8 and 9 systems.
In RHEL 8, it seems to have been added 2 years ago:

commit 5993c18a7a9e368ed47774fb397d28f6adf88590
Author: Zdenek Pytela <zpytela>
Date:   Tue Jun 23 12:15:10 2020 +0200

    * Tue Jun 23 2020 Zdenek Pytela <zpytela> - 3.14.3-46
    - Fix description tag for the sssd_connect_all_unreserved_ports tunable
    Related: rhbz#1826748
    - Allow journalctl process set its resource limits
    Resolves: rhbz#1825894

commit ee1e214ca11e100778dacdadd41820c8fa8290cb
Author: Zdenek Pytela <zpytela>
Date:   Thu Jun 18 16:33:59 2020 +0200

    Allow journalctl process set its resource limits

    Resolves: rhbz#1825894

diff --git a/journalctl.te b/journalctl.te
index 8f9792517..4a7d5ccb4 100644
--- a/journalctl.te
+++ b/journalctl.te
@@ -18,7 +18,7 @@ role journalctl_roles types journalctl_t;
 #
 # journalctl local policy
 #
-allow journalctl_t self:process { fork signal_perms };
+allow journalctl_t self:process { fork setrlimit signal_perms };


The sys_resource capability is only required when a pager is invoked together with journalctl.

type=PROCTITLE msg=audit(12/14/22 09:31:38.348:376) : proctitle=(pager)
type=SYSCALL msg=audit(12/14/22 09:31:38.348:376) : arch=x86_64 syscall=prctl success=no exit=EPERM(Operation not permitted) a0=PR_SET_MM a1=0x8 a2=0x7f08d6792000 a3=0x0 items=0 ppid=29105 pid=29106 auid=staff uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=10 comm=(pager) exe=/usr/bin/journalctl subj=staff_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(12/14/22 09:31:38.348:376) : avc:  denied  { sys_resource } for  pid=29106 comm=(pager) capability=sys_resource  scontext=staff_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=staff_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tclass=capability permissive=0

Comment 20 errata-xmlrpc 2023-05-16 09:04:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965

Note You need to log in before you can comment on or make changes to this bug.