2143762 – SELinux is preventing /usr/bin/sudo from open access on the file /var/log/sudo.log.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2143762 - SELinux is preventing /usr/bin/sudo from open access on the file /var/log/sudo.log.

Summary: SELinux is preventing /usr/bin/sudo from open access on the file /var/log/sud...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.7
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	8.8
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2160388
TreeView+	depends on / blocked

Reported:	2022-11-17 18:32 UTC by ShermB
Modified:	2023-05-16 11:02 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.14.3-114.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Clones:	2160388 (view as bug list)
Environment:
Last Closed:	2023-05-16 09:04:17 UTC
Type:	---
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1545	None	open	Allow sudodomain use sudo.log as a logfile	2023-01-04 08:23:26 UTC
Red Hat Issue Tracker	RHELPLAN-139852	None	None	None	2022-11-17 18:36:13 UTC
Red Hat Product Errata	RHBA-2023:2965	None	None	None	2023-05-16 09:04:37 UTC

Internal Links: 2164047

Description ShermB 2022-11-17 18:32:47 UTC

User-Agent:       Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Build Identifier: 

After creating a user, adding the user to wheel, and mapping the group (or user) to sysadm_u, sudo shows an error. I do not expect to see the error message.



Reproducible: Always

Steps to Reproduce:
1. CREATE USER
# useradd -Z sysadm_u user1
# passwd user1
# usermod -aG wheel user1


2. MAP group wheel to sysadm_u
# setsebool -P ssh_sysadm_login on
# semanage login -a -s sysadm_u %wheel


3. SSH LOGIN
ssh user1@mycomputer
$ id
uid=1002(user1) gid=1002(user1) groups=1002(user1),10(wheel) context=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023


4. TRY SUDO
$ sudo -i 
[sudo] password for user1:
sudo: unable to open log file: /var/log/sudo.log: Permission denied
#

Actual Results:  
sudo appears to work, but I see the following error:
 ==> sudo: unable to open log file: /var/log/sudo.log: Permission denied


Expected Results:  
sudo should work without the following error:
 ==> sudo: unable to open log file: /var/log/sudo.log: Permission denied

1. GENERAL INFO
RHEL 8.7
FIPS enabled
SELinux enforced


2. USER1
$ id -Z
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023

$ ls -dZ /home/user1
sysadm_u:object_r:user_home_dir_t:s0 /home/user1/

$ groups 
user1 wheel


3. SSH SYSADM LOGIN IS ENABLED
# getsebool -a | grep ssh_sysadm_login
ssh_sysadm_login --> on


4. SE USER INFO
# semanage user -l | egrep 'SELinux|sysadm_u'
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r


5. SE LOGIN INFO
# semanage login -l | egrep 'Login|%wheel'
Login Name           SELinux User         MLS/MCS Range        Service
%wheel               sysadm_u             s0-s0:c0.c1023       *


6. SELinux is preventing /usr/bin/sudo from open access on the file /var/log/sudo.log.
Source Context                sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:var_log_t:s0
Target Objects                /var/log/sudo.log [ file ]
Source                        sudo
Source Path                   /usr/bin/sudo
Port                          <Unknown>
Host                          mycomputer
Source RPM Packages           sudo-1.8.29-8.el8.x86_64
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-3.14.3-108.el8.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-108.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     mycomputer
Platform                      Linux mycomputer 4.18.0-425.3.1.el8.x86_64 #1
                              SMP Fri Sep 30 11:45:06 EDT 2022 x86_64 x86_64
Alert Count                   7
First Seen                    2022-11-16 16:37:33 EST
Last Seen                     2022-11-16 19:11:53 EST
Local ID                      d431e909-3d1a-4802-bc57-840c565e5559

Comment 1 ShermB 2022-11-17 19:17:06 UTC

NOTE: 
I see the error regardless of how wheel is configured in /etc/sudoers:

a.
%wheel  ALL=(ALL)       ALL

b.
%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL

Comment 2 Milos Malik 2022-11-24 17:33:21 UTC

----
type=PROCTITLE msg=audit(11/24/2022 12:28:59.337:678) : proctitle=sudo -i 
type=PATH msg=audit(11/24/2022 12:28:59.337:678) : item=1 name=/var/log/sudo.log inode=4581054 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_log_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(11/24/2022 12:28:59.337:678) : item=0 name=/var/log/ inode=4220598 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/24/2022 12:28:59.337:678) : cwd=/home/user1 
type=SYSCALL msg=audit(11/24/2022 12:28:59.337:678) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55e5e1510840 a2=O_WRONLY|O_CREAT|O_APPEND a3=0x1b6 items=2 ppid=20776 pid=20806 auid=user1 uid=root gid=user1 euid=root suid=root fsuid=root egid=root sgid=user1 fsgid=root tty=pts1 ses=8 comm=sudo exe=/usr/bin/sudo subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/24/2022 12:28:59.337:678) : avc:  denied  { open } for  pid=20806 comm=sudo path=/var/log/sudo.log dev="vda1" ino=4581054 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file permissive=0 
----

The /var/log/sudo.log file is not created by default, but the following option helps to reproduce the issue:

# grep sudo.log /etc/sudoers
Defaults logfile=/var/log/sudo.log
#

# rpm -qa selinux\* sudo\* | sort
selinux-policy-3.14.3-110.el8.noarch
selinux-policy-devel-3.14.3-110.el8.noarch
selinux-policy-targeted-3.14.3-110.el8.noarch
sudo-1.8.29-8.el8.x86_64
#

Comment 3 Milos Malik 2022-11-24 17:35:56 UTC

The following SELinux denial appears in permissive mode:
----
type=PROCTITLE msg=audit(11/24/2022 12:34:12.982:688) : proctitle=sudo -i 
type=PATH msg=audit(11/24/2022 12:34:12.982:688) : item=1 name=/var/log/sudo.log inode=4581054 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:var_log_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(11/24/2022 12:34:12.982:688) : item=0 name=/var/log/ inode=4220598 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(11/24/2022 12:34:12.982:688) : cwd=/home/user1 
type=SYSCALL msg=audit(11/24/2022 12:34:12.982:688) : arch=x86_64 syscall=openat success=yes exit=6 a0=AT_FDCWD a1=0x55581b0a2840 a2=O_WRONLY|O_CREAT|O_APPEND a3=0x1b6 items=2 ppid=20776 pid=20860 auid=user1 uid=root gid=user1 euid=root suid=root fsuid=root egid=root sgid=user1 fsgid=root tty=pts1 ses=8 comm=sudo exe=/usr/bin/sudo subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(11/24/2022 12:34:12.982:688) : avc:  denied  { open } for  pid=20860 comm=sudo path=/var/log/sudo.log dev="vda1" ino=4581054 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file permissive=1 
----

The following error message does NOT appear in permissive mode:

sudo: unable to open log file: /var/log/sudo.log: Permission denied

Comment 4 Milos Malik 2022-11-24 17:44:04 UTC

# matchpathcon /var/log/sudo.log
/var/log/sudo.log	system_u:object_r:var_log_t:s0
# seinfo -t | grep sudo_log
   sudo_log_t
# semanage fcontext -l | grep sudo_log
/var/log/sudo-io(/.*)?                             all files          system_u:object_r:sudo_log_t:s0 
# man sudoers | col -b | grep -C 2 sudo.log
     Defaults:FULLTIMERS     !lecture
     Defaults:millert	     !authenticate
     Defaults@SERVERS	     log_year, logfile=/var/log/sudo.log
     Defaults!PAGERS	     noexec

#

Comment 7 Milos Malik 2023-01-09 14:54:20 UTC

The /var/log/sudo.log file does not exist by default. The default configuration of sudo is to log into syslog.

When the reproducer is executed in enforcing mode, the following SELinux denial appears:
----
type=PROCTITLE msg=audit(01/09/2023 09:48:12.182:4260) : proctitle=sudo -i 
type=PATH msg=audit(01/09/2023 09:48:12.182:4260) : item=0 name=/var/log/ inode=4215926 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/09/2023 09:48:12.182:4260) : cwd=/home/sysadm-user 
type=SYSCALL msg=audit(01/09/2023 09:48:12.182:4260) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55a2e225af30 a2=O_WRONLY|O_CREAT|O_APPEND a3=0x1b6 items=1 ppid=6114 pid=6143 auid=sysadm-user uid=root gid=sysadm-user euid=root suid=root fsuid=root egid=root sgid=sysadm-user fsgid=root tty=pts1 ses=8 comm=sudo exe=/usr/bin/sudo subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/09/2023 09:48:12.182:4260) : avc:  denied  { create } for  pid=6143 comm=sudo name=sudo.log scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:var_log_t:s0 tclass=file permissive=0 
----

Here are SELinux denials which appeared in permissive mode:
----
type=PROCTITLE msg=audit(01/09/2023 09:49:17.347:4308) : proctitle=sudo -i 
type=PATH msg=audit(01/09/2023 09:49:17.347:4308) : item=1 name=/var/log/sudo.log inode=4750837 dev=fd:01 mode=file,600 ouid=root ogid=root rdev=00:00 obj=sysadm_u:object_r:var_log_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(01/09/2023 09:49:17.347:4308) : item=0 name=/var/log/ inode=4215926 dev=fd:01 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/09/2023 09:49:17.347:4308) : cwd=/home/sysadm-user 
type=SYSCALL msg=audit(01/09/2023 09:49:17.347:4308) : arch=x86_64 syscall=openat success=yes exit=4 a0=AT_FDCWD a1=0x55fabf8eef30 a2=O_WRONLY|O_CREAT|O_APPEND a3=0x1b6 items=2 ppid=6203 pid=6233 auid=sysadm-user uid=root gid=sysadm-user euid=root suid=root fsuid=root egid=root sgid=sysadm-user fsgid=root tty=pts1 ses=10 comm=sudo exe=/usr/bin/sudo subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/09/2023 09:49:17.347:4308) : avc:  denied  { open } for  pid=6233 comm=sudo path=/var/log/sudo.log dev="vda1" ino=4750837 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:var_log_t:s0 tclass=file permissive=1 
type=AVC msg=audit(01/09/2023 09:49:17.347:4308) : avc:  denied  { create } for  pid=6233 comm=sudo name=sudo.log scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:var_log_t:s0 tclass=file permissive=1 
----

# ls -ilZ /var/log/sudo.log 
4750837 -rw-------. 1 root root sysadm_u:object_r:var_log_t:s0 102 Jan  9 09:49 /var/log/sudo.log
#

SELinux policy already defines the sudo_log_t type. Unfortunately, it is not a default type for the /var/log/sudo.log file.

Comment 10 Zdenek Pytela 2023-01-12 10:24:02 UTC

To backport:
commit 2ce62be20d635fc9ac5c878a650bd817e0be4fa0 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Wed Jan 4 09:17:46 2023 +0100

    Allow sudodomain use sudo.log as a logfile

Comment 20 errata-xmlrpc 2023-05-16 09:04:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2965

Note You need to log in before you can comment on or make changes to this bug.