This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 233313 - LSPP: sysadm_r gets permission denied when using netlabelctl
LSPP: sysadm_r gets permission denied when using netlabelctl
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-03-21 11:43 EDT by Loulwa Salem
Modified: 2010-10-22 09:51 EDT (History)
3 users (show)

See Also:
Fixed In Version: RHBA-2007-0544
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-07 11:38:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Loulwa Salem 2007-03-21 11:43:29 EDT
Description of problem:
when sysadm_r tries to execute any netlabelctl command it gets a permission 
denied.

Version-Release number of selected component (if applicable):
I am running the lspp.69 and the latest policy-45 and openssh-20 (basically 
system is up to date from Steve's repo)

How reproducible:
always

Steps to Reproduce:
1 - ssh into system with your admin user as sysadm role
    ssh -l ealuser/sysadm_r/s0-s15:c0.c1023 localhost
2 - switch to root
    /bin/su -
3 - execute any netlabel command
    netlabelctl cipsov4 add pass doi:1 tags:1   

Actual results:
[root/sysadm_r/SystemLow ~]# netlabelctl cipsov4 add pass doi:1 tags:1
-bash: /sbin/netlabelctl: Permission denied

Expected results:
command pass and I see appropriate audit record in log (CIPSO_ADD in this case)

Additional info:
Sample steps output:
[root/abat_r/SystemLow /]# ssh -l ealuser/sysadm_r/s0-s15:c0.c1023 localhost
Password:
Last login: Tue Mar 20 12:31:23 2007 from localhost.localdomain
[ealuser/sysadm_r/SystemLow ~]$ /bin/su -
Password:
[root/sysadm_r/SystemLow ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6
(disk),10(wheel) context=ealuser_u:sysadm_r:sysadm_t:SystemLow-SystemHigh
[root/sysadm_r/SystemLow ~]# netlabelctl cipsov4 add pass doi:1 tags:1
-bash: /sbin/netlabelctl: Permission denied 

---- netlabel related records (the only 2 records I see when I get perm denied)
type=SELINUX_ERR msg=audit(1174412941.179:771): security_compute_sid:  invalid 
context ealuser_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 for 
scontext=ealuser_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 
tcontext=system_u:object_r:netlabel_mgmt_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1174412941.179:771): arch=14 syscall=11 success=no 
exit=-13 a0=10121d98 a1=1011edd0 a2=1011ee58 a3=0 items=0 ppid=3090 pid=3123 
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 
comm="bash" exe="/bin/bash" subj=ealuser_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 
key=(null)
Comment 1 Daniel Walsh 2007-03-22 16:24:06 EDT
Fixed in selinux-policy-2.4.6-47
Comment 2 RHEL Product and Program Management 2007-03-22 16:43:13 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 3 Loulwa Salem 2007-03-23 11:29:55 EDT
Thanks for the fix, I'll try it out, but will you please point me to where I 
can get the -47 policy. 
It is not on Dan's people page or Steve's lspp repo
Comment 5 Joy Latten 2007-03-26 17:58:56 EDT
Looks like the same thing is happening when I try to start racoon for labeled
ipsec. I have not seen this before. I was running version 38 policy and updated
to version 45.

type=SELINUX_ERR msg=audit(1174945035.957:573): security_compute_sid:  invalid
context staff_u:system_r:racoon_t:s0-s15:c0.c1023 for
scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:racoon_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1174945035.957:573): arch=14 syscall=11 success=no
exit=-13 a0=100fccc8 a1=100f7000 a2=100f7d58 a3=0 items=0 ppid=16978 pid=17013
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4
comm="bash" exe="/bin/bash" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
key=(null)
Comment 6 Joy Latten 2007-03-26 18:02:19 EDT
Forgot to add that I ssh in as ssh -l ealuser/sysadm_r/s0-s15:c0.c1023
and then do a /bin/su - 

semanage login -l 
Login Name                SELinux User              MLS/MCS Range

__default__               user_u                    SystemLow
abat                      abat_u                    SystemLow-SystemHigh
abatroot                  abat_u                    SystemLow
ealuser                   staff_u                   SystemLow-SystemHigh
root                      root                      SystemLow-SystemHigh
system_u                  system_u                  SystemLow-SystemHigh
testuser                  testuser_u                SystemLow-SystemHigh

semanage user -l 
                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

abat_u          abat       SystemLow  SystemLow-SystemHigh           abat_r
root            sysadm     SystemLow  SystemLow-SystemHigh           system_r
sysadm_r staff_r secadm_r auditadm_r
staff_u         staff      SystemLow  SystemLow-SystemHigh           sysadm_r
staff_r secadm_r auditadm_r
sysadm_u        sysadm     SystemLow  SystemLow-SystemHigh           sysadm_r
system_u        user       SystemLow  SystemLow-SystemHigh           system_r
testuser_u      user       SystemLow  SystemLow-SystemHigh           user_r
user_u          user       SystemLow  SystemLow                      user_r

Comment 7 Loulwa Salem 2007-03-26 18:46:57 EDT
Per talk today on lspp call, I reinstalled the -47 policy (with the --force in
permissive to make sure changes get applied smoothly) .. then relabeled and
rebooted the system in enforcing. I still get permission denied when trying
netlabelctl and see the same problem originally described in this bugzilla.

[root/abat_r/SystemLow@joy-hv4 ~]# ssh -l ealuser/sysadm_r/s0-s15:c0.c1023 localhost
Password:
Last login: Mon Mar 26 13:38:51 2007 from localhost.localdomain
[ealuser/sysadm_r/SystemLow@joy-hv4 ~]$ /bin/su -
Password:
[root/sysadm_r/SystemLow@joy-hv4 ~]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=staff_u:sysadm_r:sysadm_t:SystemLow-SystemHigh
[root/sysadm_r/SystemLow@joy-hv4 ~]# netlabelctl map list
-bash: /sbin/netlabelctl: Permission denied

in /var/log/audit/audit.log I see
type=SELINUX_ERR msg=audit(1174934456.088:431): security_compute_sid:  invalid
context staff_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 for
scontext=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
tcontext=system_u:object_r:netlabel_mgmt_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1174934456.088:431): arch=14 syscall=11 success=no
exit=-13 a0=1011d0b0 a1=10115278 a2=1011f8a8 a3=0 items=0 ppid=2111 pid=2146
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
comm="bash" exe="/bin/bash" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023
key=(null)
Comment 8 Daniel Walsh 2007-03-27 10:34:38 EDT
Ok I am not sure why this is the case, but the problem is that system_r is not
in the list of roles available in staff_u or abat_u.  I believe if you add that
role everything will work.

I was running as a logged in user of root, and that works, because root has
system_r.

From reading the policy I would have thought the netlibalctl would run as 
staff_u:sysadm_r:netlabel_mgmt_t but the policy seems to be trying to run it as
staff_u:system_r:netlabel_mgmt_t.

Comment 9 Daniel Walsh 2007-03-27 11:06:22 EDT
There is a bug in policy that defines 
init_daemon_domain(netlabel_mgmt_t,netlabel_mgmt_exec_t)
rather then
init_system_domain(netlabel_mgmt_t,netlabel_mgmt_exec_t)

This is causing the daemon to attempt to run as system_r, changing it to
init_system_domain causes it to work without adding system_r to staff_u.

I will update the policy and publish today,

Fixed in selinux-policy-2.4.6-48
Comment 10 Loulwa Salem 2007-03-27 11:32:16 EDT
regarding comment #8, I added system_r to the roles of staff_u and yes .. now 
I can execute netlabel fine :)

However, I no longer can see the output of the netlabel command, the audit 
record shows the command succeeded (I see a record), but I don't see output 
for example when I do a netlabelctl cipsov4 list. Keeping in mind that this is 
not on the console (the way Paul described in an email on the lspp mailing 
list previously), this occurs through an ssh session which used to show the 
output.

I'll wait for the -48 policy and try the fix of changing daemon to system then 
I'll report on that.
Comment 11 Loulwa Salem 2007-03-27 12:25:13 EDT
just a small update, I was not able to see the output of netlabelctl when I 
was staff_u:sysadm_r (which is what I logged into to try the netlabelctl) once 
I exited and went back to my abat_r I am able to see the output.
Comment 12 Loulwa Salem 2007-03-27 15:51:17 EDT
I just tried the -49 policy and the permission denied problem is resolved.
The issue of not seeing the netlabelctl output as sysadm_r is also resolved ..

All looks great so far .. thanks
Comment 13 Joy Latten 2007-03-28 12:03:53 EDT
This appears to be working for racoon with version 49 selinux policy.
Comment 17 errata-xmlrpc 2007-11-07 11:38:39 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0544.html

Note You need to log in before you can comment on or make changes to this bug.