RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 694031 - enforcing MLS: userdel -r USERNAME causes AVCs
Summary: enforcing MLS: userdel -r USERNAME causes AVCs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 743047
TreeView+ depends on / blocked
 
Reported: 2011-04-06 09:40 UTC by Milos Malik
Modified: 2012-10-16 08:11 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-3.7.19-110.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 10:07:17 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1511 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-12-06 00:39:17 UTC

Description Milos Malik 2011-04-06 09:40:46 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.7.19-81.el6.noarch
selinux-policy-doc-3.7.19-81.el6.noarch
selinux-policy-minimum-3.7.19-81.el6.noarch
selinux-policy-mls-3.7.19-81.el6.noarch
selinux-policy-3.7.19-81.el6.noarch

How reproducible:
always

Steps to Reproduce:
(RHEL-6 machine with active MLS policy, root is logged in via console)
# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t:s0-s15:c0.c1023
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        mls
# useradd -Z staff_u sshstaff
# userdel -r sshstaff
#
  
Actual results:
----
type=SYSCALL msg=audit(04/06/2011 05:29:40.645:12216) : arch=i386 syscall=stat64 success=no exit=-13(Permission denied) a0=bfd67b20 a1=bfd67a58 a2=4bfff4 a3=8cbd5d0 items=0 ppid=3010 pid=3183 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=16 comm=userdel exe=/usr/sbin/userdel subj=root:sysadm_r:useradd_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(04/06/2011 05:29:40.645:12216) : avc:  denied  { search } for  pid=3183 comm=userdel name=2686 dev=proc ino=25855 scontext=root:sysadm_r:useradd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:auditd_t:s15:c0.c1023 tclass=dir 
----
following AVC appeared many times
----
type=SYSCALL msg=audit(04/06/2011 05:29:40.658:12217) : arch=i386 syscall=stat64 success=no exit=-13(Permission denied) a0=bfd67b20 a1=bfd67a58 a2=4bfff4 a3=8cbd5d0 items=0 ppid=3010 pid=3183 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=16 comm=userdel exe=/usr/sbin/userdel subj=root:sysadm_r:useradd_t:s0-s15:c0.c1023 key=(null) 
type=AVC msg=audit(04/06/2011 05:29:40.658:12217) : avc:  denied  { search } for  pid=3183 comm=userdel name=3068 dev=proc ino=34495 scontext=root:sysadm_r:useradd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=dir 
----

Expected results:
no AVCs
Comment 2 RHEL Program Management 2011-04-06 09:44:11 UTC 
Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 3 Milos Malik 2011-04-06 09:44:43 UTC 
The output of audit2allow:

#============= useradd_t ==============
#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule: 
allow useradd_t auditd_t:dir search;
#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule: 
allow useradd_t kernel_t:dir search;
Comment 4 Daniel Walsh 2011-04-06 13:49:10 UTC 
Miroslav you need to add

mls_process_read_to_clearance(useradd_t)
Comment 5 Miroslav Grepl 2011-06-14 14:06:07 UTC 
Fixed in selinux-policy-3.7.19-98.el6
Comment 8 Daniel Walsh 2011-09-07 16:31:45 UTC 
Were you sitting in the audit directory when you ran this test?
Comment 9 Milos Malik 2011-09-07 18:31:38 UTC 
No, I was sitting in /root directory, but I'm able to reproduce it in /tmp as well.

[root@rhel62 ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        mls
[root@rhel62 ~]# id -Z
root:sysadm_r:sysadm_t:s0-s15:c0.c1023
[root@rhel62 ~]# cd /tmp
[root@rhel62 tmp]# useradd pokus
[root@rhel62 tmp]# userdel -rf pokus
[root@rhel62 tmp]# ausearch -m avc -m user_avc -ts recent -i | audit2allow

#============= useradd_t ==============
#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule: 
allow useradd_t audisp_t:dir search;
#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule: 
allow useradd_t auditd_t:dir search;
#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule: 
allow useradd_t kernel_t:dir search;
[root@rhel62 tmp]#
Comment 10 Daniel Walsh 2011-09-08 13:16:28 UTC 
Miroslav add

domain_dontaudit_read_all_domains_state(useradd_t)


userdel is looking at all processes to see if a process with the user id it is deleting is running.  Not sure what constraint it is failing on here since the userdel program is running with the full range.

Milos can you run a process as the user that you are deleting at systemhigh

useradd testuser 
login as testuser
newrole -l SystemHigh 

As sysadm_t in another window execute userdel testuser and make sure userdel works properly, IE the same way in permissive mode as enforcing.
Comment 11 Miroslav Grepl 2011-09-08 14:34:58 UTC 
Fixed in selinux-policy-3.7.19-110.el6
Comment 14 errata-xmlrpc 2011-12-06 10:07:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html
Note You need to log in before you can comment on or make changes to this bug.