+++ This bug was initially created as a clone of Bug #2154242 +++

Description of problem:

Since fixing BZ #2118362, we can observe that executing bash from a system cronjob leads to executing in rpm_script_t context, which is not really appropriate.

See below simple reproducer using *runcon* to emulate a system cronjob:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# runcon system_u:system_r:system_cronjob_t:s0 /bin/bash -c "/bin/bash -c 'sleep 1234'"
^Z

# ps -eafZ | grep sleep
system_u:system_r:rpm_script_t:s0 root      2059    1931  0 11:09 pts/0    00:00:00 sleep 1234
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The root cause for this is the following (new) transition rule:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
$ sesearch -T -s system_cronjob_t | grep rpm_script_t
type_transition system_cronjob_t shell_exec_t:process rpm_script_t;
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Faulty Fedora commit is:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
commit cb33da5ae004343f679e5db4e254061291664046
Author: Zdenek Pytela <zpytela>
Date:   Thu Aug 25 20:31:54 2022 +0200

    Allow system_cronjob_t domtrans to rpm_script_t
    
    This permission is required for rpm-like programs executed from system
    cronjobs, e. g. /etc/crontab.
    
    Resolves: rhbz#2118362
---
 policy/modules/contrib/cron.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index c8349c7aa..73d1245df 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -544,6 +544,7 @@ ifdef(`distro_redhat',`
 
        # via redirection of standard out.
        optional_policy(`
+               rpm_domtrans_script(system_cronjob_t)
                rpm_manage_log(system_cronjob_t)
        ')
 ')
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The policy (including Fedora policy) contains the following snippets leading to the issue:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
interface(`rpm_domtrans_script',`
        [...]
        # transition to rpm script:
        corecmd_shell_domtrans($1, rpm_script_t)
        [...]
')

interface(`corecmd_shell_domtrans',`
        [...]
        type_transition $1 shell_exec_t:process $2;
')
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

These interfaces, when applied to `system_cronjob_t`, make all `shell_exec_t` processes (typically shells, including `bash`), to transition to `rpm_script_t` if process was executing as `system_cronjob_t`, which is your case here.

This is hence clearly a bug, the rule `rpm_domtrans_script(system_cronjob_t)` is wrong, it should likely be `rpm_domtrans(system_cronjob_t)`, which tells to transition when `/usr/bin/rpm` binary (`rpm_exec_t`) is executed from a system cron.


Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-108.el8.noarch

How reproducible:

Always, see above.

--- Additional comment from Renaud Métrich on 2022-12-16 13:03:36 CET ---

I've created the BZ as Urgent because there is no workaround: it's not possible to add another transition rule to force staying as system_cronjob_t.

--- Additional comment from RHEL Program Management on 2023-01-12 08:28:12 CET ---

DevMissed

The Current Deadline for this BZ has passed. Please discuss with your PO & QE Contact and revise the Current Deadline in one of the following ways:

1. Update the Devel Target Milestone (DTM) to when you think the work will be ready for verification.
2. Set a Custom Deadline Type and Date to when you think the work will be ready for verification. 
3. Update the Internal Target Milestone (ITM) according to QE guidance.  In the absence of 1 and 2 above, the Current Deadline is automatically set to 6 days before the ITM date.

Note that BZs that miss their due date by more than 2 weeks will automatically lose their ITM and thus their release+. 
 Resetting ITM will cause release+ to be restored.

More details about deadline management are available at https://one.redhat.com/rhel-developer-guide/#proc_using-deadlines-to-prioritize-work_assembly_development

--- Additional comment from Renaud Métrich on 2023-02-03 15:12:18 CET ---

Hi Zdenek,

Please consider this as really urgent, there is no workaround available.
It appears this makes also chronyd report an AVC when chronyc is called from the system cron:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=PROCTITLE msg=audit(01/22/2023 03:06:07.420:30833) : proctitle=/usr/sbin/chronyd -4
type=PATH msg=audit(01/22/2023 03:06:07.420:30833) : item=0 name=/run/chrony/chronyc.2001132.sock inode=10601380 dev=00:18 mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:chronyd_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(01/22/2023 03:06:07.420:30833) : cwd=/
type=SOCKADDR msg=audit(01/22/2023 03:06:07.420:30833) : saddr={ saddr_fam=local path=/run/chrony/chronyc.2001132.sock }
type=SYSCALL msg=audit(01/22/2023 03:06:07.420:30833) : arch=x86_64 syscall=sendmsg success=no exit=EACCES(Permission denied) a0=0x9 a1=0x7fff9b671890 a2=0x0 a3=0x0 items=1 ppid=1 pid=992 auid=unset uid=chrony gid=chrony euid=chrony suid=chrony fsuid=chrony egid=chrony sgid=chrony fsgid=chrony tty=(none) ses=unset comm=chronyd exe=/usr/sbin/chronyd subj=system_u:system_r:chronyd_t:s0 key=(null)
type=AVC msg=audit(01/22/2023 03:06:07.420:30833) : avc:  denied  { sendto } for  pid=992 comm=chronyd path=/run/chrony/chronyc.2001132.sock scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

--- Additional comment from Zdenek Pytela on 2023-02-07 11:12:11 CET ---

Engineering is paying attention to this bz and expects to address it during the RHEL 8.8 development cycle.

--- Additional comment from Milos Malik on 2023-02-08 10:19:12 CET ---

Test coverage for this BZ exists in a form of MR:
 * https://gitlab.com/redhat/rhel/tests/selinux-policy/-/merge_requests/78

The MR waits for review.

--- Additional comment from RHEL Program Management on 2023-02-09 08:28:15 CET ---

DevMissed

The Current Deadline for this BZ has passed. Please discuss with your PO & QE Contact and revise the Current Deadline in one of the following ways:

1. Update the Devel Target Milestone (DTM) to when you think the work will be ready for verification.
2. Set a Custom Deadline Type and Date to when you think the work will be ready for verification. 
3. Update the Internal Target Milestone (ITM) according to QE guidance.  In the absence of 1 and 2 above, the Current Deadline is automatically set to 6 days before the ITM date.

Note that BZs that miss their due date by more than 2 weeks will automatically lose their ITM and thus their release+. 
 Resetting ITM will cause release+ to be restored.

More details about deadline management are available at https://one.redhat.com/rhel-developer-guide/#proc_using-deadlines-to-prioritize-work_assembly_development

--- Additional comment from RHEL Program Management on 2023-02-16 08:28:09 CET ---

DevMissed

The Current Deadline for this BZ has passed. Please discuss with your PO & QE Contact and revise the Current Deadline in one of the following ways:

1. Update the Devel Target Milestone (DTM) to when you think the work will be ready for verification.
2. Set a Custom Deadline Type and Date to when you think the work will be ready for verification. 
3. Update the Internal Target Milestone (ITM) according to QE guidance.  In the absence of 1 and 2 above, the Current Deadline is automatically set to 6 days before the ITM date.

Note that BZs that miss their due date by more than 2 weeks will automatically lose their ITM and thus their release+. 
 Resetting ITM will cause release+ to be restored.

More details about deadline management are available at https://one.redhat.com/rhel-developer-guide/#proc_using-deadlines-to-prioritize-work_assembly_development

--- Additional comment from Zdenek Pytela on 2023-02-16 14:12:37 CET ---

https://gitlab.cee.redhat.com/SELinux/selinux-policy/-/merge_requests/817/diffs?commit_id=8babc55679b2189531636acd1c1e323b74d51d29
https://gitlab.cee.redhat.com/SELinux/selinux-policy/-/merge_requests/817/diffs?commit_id=96ceec67fe0171031a199bfae5d51b6eb1342954
commit 8babc55679b2189531636acd1c1e323b74d51d29 (HEAD -> rhel8.8-contrib, upstream/rhel8.8-contrib, origin/rhel8.8-contrib)
Author: Zdenek Pytela <zpytela>
Date:   Thu Feb 16 13:04:48 2023 +0100

    Allow system_cronjob_t transition to rpm_script_t

    This permission is required for rpm-like programs (rpm, dnf)
    executed from system cronjobs, e. g. /etc/crontab.

    Resolves: rhbz#2154242

commit 96ceec67fe0171031a199bfae5d51b6eb1342954
Author: Zdenek Pytela <zpytela>
Date:   Thu Feb 16 14:09:14 2023 +0100

    Revert "Allow system_cronjob_t domtrans to rpm_script_t"

    This reverts commit 5e2c252146f379cd25df50de97816f6771d9d79b.
    which incorrectly used rpm_domtrans_script() which allows
    transition to rpm_script_t for any executed script.

    Resolves: rhbz#2154242