2188565 – SELinux prevents certain confined users from starting the restorecond_user service

Bug 2188565 - SELinux prevents certain confined users from starting the restorecond_user service

Summary: SELinux prevents certain confined users from starting the restorecond_user se...

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	9.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Nikola Knazekova
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-04-21 07:59 UTC by Milos Malik
Modified:	2023-08-04 08:50 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-155373	0	None	None	None	2023-04-21 07:59:57 UTC

Description Milos Malik 2023-04-21 07:59:36 UTC

Description of problem:
# grep ConditionPathExists /usr/lib/systemd/user/restorecond_user.service 
ConditionPathExists=/etc/selinux/restorecond_user.conf
#

Version-Release number of selected component (if applicable):
policycoreutils-3.5-1.el9.x86_64
policycoreutils-dbus-3.5-1.el9.noarch
policycoreutils-devel-3.5-1.el9.x86_64
policycoreutils-gui-3.5-1.el9.noarch
policycoreutils-newrole-3.5-1.el9.x86_64
policycoreutils-python-utils-3.5-1.el9.noarch
policycoreutils-restorecond-3.5-1.el9.x86_64
policycoreutils-sandbox-3.5-1.el9.x86_64
selinux-policy-38.1.11-2.el9_2.noarch
selinux-policy-devel-38.1.11-2.el9_2.noarch
selinux-policy-doc-38.1.11-2.el9_2.noarch
selinux-policy-mls-38.1.11-2.el9_2.noarch
selinux-policy-targeted-38.1.11-2.el9_2.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a RHEL-9.2 machine (targeted policy is active)
2. create a new user that is confined by SELinux (staff_u, user_u)
# useradd -Z ... ...
3. set password for the new user
4. log in as the new user
5. start the restorecond_user service
$ systemctl --user start restorecond_user.service
6. search for SELinux denials

Actual results:
----
type=PROCTITLE msg=audit(04/21/2023 09:46:01.146:401) : proctitle=/usr/sbin/restorecond -u 
type=PATH msg=audit(04/21/2023 09:46:01.146:401) : item=0 name=/etc/selinux/restorecond_user.conf inode=17561326 dev=fd:02 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:selinux_config_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(04/21/2023 09:46:01.146:401) : cwd=/home/staff-user 
type=SYSCALL msg=audit(04/21/2023 09:46:01.146:401) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x561514d3a2e0 a2=0x42 a3=0x0 items=1 ppid=4599 pid=4717 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=3 comm=restorecond exe=/usr/sbin/restorecond subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(04/21/2023 09:46:01.146:401) : avc:  denied  { watch } for  pid=4717 comm=restorecond path=/etc/selinux/restorecond_user.conf dev="vda2" ino=17561326 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(04/21/2023 09:55:38.472:584) : proctitle=/usr/sbin/restorecond -u 
type=PATH msg=audit(04/21/2023 09:55:38.472:584) : item=0 name=/etc/selinux/restorecond_user.conf inode=17561326 dev=fd:02 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:selinux_config_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(04/21/2023 09:55:38.472:584) : cwd=/home/user-user 
type=SYSCALL msg=audit(04/21/2023 09:55:38.472:584) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x5633587ec2e0 a2=0x42 a3=0x0 items=1 ppid=8974 pid=9096 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=8 comm=restorecond exe=/usr/sbin/restorecond subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(04/21/2023 09:55:38.472:584) : avc:  denied  { watch } for  pid=9096 comm=restorecond path=/etc/selinux/restorecond_user.conf dev="vda2" ino=17561326 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=0 
----

Expected results:
 * no SELinux denials
 * the restorecond_user service runs in enforcing mode

Comment 1 Milos Malik 2023-04-21 08:54:40 UTC

Triggered by a staff_u user in permissive mode:
----
type=PROCTITLE msg=audit(04/21/2023 10:49:01.430:1193) : proctitle=systemctl --user status restorecond_user.service 
type=PATH msg=audit(04/21/2023 10:49:01.430:1193) : item=0 name=/var/log/journal/2b3cc966022746d69eff961690e0e215/user-1000 inode=632670 dev=fd:02 mode=file,640 ouid=root ogid=systemd-journal rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(04/21/2023 10:49:01.430:1193) : cwd=/home/staff-user 
type=SYSCALL msg=audit(04/21/2023 10:49:01.430:1193) : arch=x86_64 syscall=openat success=yes exit=6 a0=AT_FDCWD a1=0x56096bb9b210 a2=O_RDONLY|O_NONBLOCK|O_CLOEXEC a3=0x0 items=1 ppid=28643 pid=28698 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=tty2 ses=15 comm=systemctl exe=/usr/bin/systemctl subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(04/21/2023 10:49:01.430:1193) : avc:  denied  { open } for  pid=28698 comm=systemctl path=/var/log/journal/2b3cc966022746d69eff961690e0e215/user-1000 dev="vda2" ino=632670 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 
type=AVC msg=audit(04/21/2023 10:49:01.430:1193) : avc:  denied  { read } for  pid=28698 comm=systemctl name=user-1000 dev="vda2" ino=632670 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(04/21/2023 10:49:01.430:1194) : proctitle=systemctl --user status restorecond_user.service 
type=MMAP msg=audit(04/21/2023 10:49:01.430:1194) : fd=6 flags=MAP_SHARED 
type=SYSCALL msg=audit(04/21/2023 10:49:01.430:1194) : arch=x86_64 syscall=mmap success=yes exit=140430488371200 a0=0x0 a1=0x3e9000 a2=PROT_READ a3=MAP_SHARED items=0 ppid=28643 pid=28698 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=tty2 ses=15 comm=systemctl exe=/usr/bin/systemctl subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(04/21/2023 10:49:01.430:1194) : avc:  denied  { map } for  pid=28698 comm=systemctl path=/var/log/journal/2b3cc966022746d69eff961690e0e215/user-1000 dev="vda2" ino=632670 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(04/21/2023 10:49:08.618:1201) : proctitle=/usr/sbin/restorecond -u 
type=PATH msg=audit(04/21/2023 10:49:08.618:1201) : item=0 name=/etc/selinux/restorecond_user.conf inode=17561326 dev=fd:02 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:selinux_config_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(04/21/2023 10:49:08.618:1201) : cwd=/home/staff-user 
type=SYSCALL msg=audit(04/21/2023 10:49:08.618:1201) : arch=x86_64 syscall=inotify_add_watch success=yes exit=5 a0=0x3 a1=0x555a701ed2e0 a2=0x42 a3=0x0 items=1 ppid=28630 pid=28716 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=16 comm=restorecond exe=/usr/sbin/restorecond subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(04/21/2023 10:49:08.618:1201) : avc:  denied  { watch } for  pid=28716 comm=restorecond path=/etc/selinux/restorecond_user.conf dev="vda2" ino=17561326 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1 
----

Triggered by a user_u user in permissive mode:
----
type=PROCTITLE msg=audit(04/21/2023 10:51:29.598:1253) : proctitle=/usr/sbin/restorecond -u 
type=PATH msg=audit(04/21/2023 10:51:29.598:1253) : item=0 name=/etc/selinux/restorecond_user.conf inode=17561326 dev=fd:02 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:selinux_config_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(04/21/2023 10:51:29.598:1253) : cwd=/home/user-user 
type=SYSCALL msg=audit(04/21/2023 10:51:29.598:1253) : arch=x86_64 syscall=inotify_add_watch success=yes exit=5 a0=0x3 a1=0x5622633a22e0 a2=0x42 a3=0x0 items=1 ppid=30045 pid=30128 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=18 comm=restorecond exe=/usr/sbin/restorecond subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(04/21/2023 10:51:29.598:1253) : avc:  denied  { watch } for  pid=30128 comm=restorecond path=/etc/selinux/restorecond_user.conf dev="vda2" ino=17561326 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(04/21/2023 10:51:30.711:1254) : proctitle=systemctl --user status restorecond_user.service 
type=PATH msg=audit(04/21/2023 10:51:30.711:1254) : item=0 name=/var/log/journal/2b3cc966022746d69eff961690e0e215/user-1003.journal inode=642216 dev=fd:02 mode=file,640 ouid=root ogid=systemd-journal rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(04/21/2023 10:51:30.711:1254) : cwd=/home/user-user 
type=SYSCALL msg=audit(04/21/2023 10:51:30.711:1254) : arch=x86_64 syscall=openat success=yes exit=6 a0=AT_FDCWD a1=0x55de346d84c0 a2=O_RDONLY|O_NONBLOCK|O_CLOEXEC a3=0x0 items=1 ppid=30058 pid=30133 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=tty3 ses=17 comm=systemctl exe=/usr/bin/systemctl subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(04/21/2023 10:51:30.711:1254) : avc:  denied  { open } for  pid=30133 comm=systemctl path=/var/log/journal/2b3cc966022746d69eff961690e0e215/user-1003.journal dev="vda2" ino=642216 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 
type=AVC msg=audit(04/21/2023 10:51:30.711:1254) : avc:  denied  { read } for  pid=30133 comm=systemctl name=user-1003.journal dev="vda2" ino=642216 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(04/21/2023 10:51:30.712:1255) : proctitle=systemctl --user status restorecond_user.service 
type=MMAP msg=audit(04/21/2023 10:51:30.712:1255) : fd=6 flags=MAP_SHARED 
type=SYSCALL msg=audit(04/21/2023 10:51:30.712:1255) : arch=x86_64 syscall=mmap success=yes exit=140177477468160 a0=0x0 a1=0x800000 a2=PROT_READ a3=MAP_SHARED items=0 ppid=30058 pid=30133 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=tty3 ses=17 comm=systemctl exe=/usr/bin/systemctl subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(04/21/2023 10:51:30.712:1255) : avc:  denied  { map } for  pid=30133 comm=systemctl path=/var/log/journal/2b3cc966022746d69eff961690e0e215/user-1003.journal dev="vda2" ino=642216 scontext=user_u:user_r:user_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1 
----

Note You need to log in before you can comment on or make changes to this bug.