Bug 982983 - sysadm_u unable to logout
sysadm_u unable to logout
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
unspecified Severity low
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
Depends On:
  Show dependency treegraph
Reported: 2013-07-10 05:07 EDT by Michal Medvecky
Modified: 2013-08-07 14:20 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-08-07 14:20:30 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Michal Medvecky 2013-07-10 05:07:47 EDT
Description of problem:

sysadm_u cannot logout when doing sudo su -

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

adduser test
semanage login -a -s sysadm_u test
visudo, allow test to do sudo
log in as test
sudo su -

Actual results:

 1503 tty2     S+     0:00      \_ sudo -i su -
 1504 tty2     Z+     0:00          \_ [su] <defunct>

Expected results:

logging out hangs

Additional info:

type=AVC msg=audit(1373436054.277:354): avc:  denied  { sigchld } for  pid=1317 comm="sudo" scontext=sysadm_u:sysadm_r:sysadm_su_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0 tclass=process
Comment 2 Milos Malik 2013-07-10 11:15:26 EDT
When I use "sudo -i su -" instead of "sudo su -" following AVC appears:
type=SYSCALL msg=audit(07/10/2013 11:05:44.722:886083) : arch=x86_64 syscall=wait4 success=no exit=-13(Permission denied) a0=3661 a1=7fffc2ba69c4 a2=3 a3=0 items=0 ppid=13816 pid=13920 auid=pokuston uid=root gid=pokuston euid=root suid=root fsuid=root egid=pokuston sgid=pokuston fsgid=pokuston tty=pts5 ses=40701 comm=sudo exe=/usr/bin/sudo subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(07/10/2013 11:05:44.722:886083) : avc:  denied  { sigchld } for  pid=13920 comm=sudo scontext=sysadm_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tclass=process 

There is also another AVC which frequently appears before the logout:
type=SYSCALL msg=audit(07/10/2013 11:04:31.946:886065) : arch=x86_64 syscall=write success=no exit=-13(Permission denied) a0=3 a1=7feb5b88a3f0 a2=62 a3=0 items=0 ppid=13842 pid=13843 auid=pokuston uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts5 ses=40701 comm=su exe=/bin/su subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(07/10/2013 11:04:31.946:886065) : avc:  denied  { compute_av } for  pid=13843 comm=su scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=security 
Comment 3 Milos Malik 2013-07-10 11:23:43 EDT
# rpm -qa selinux-policy\*
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted
# getsebool -a | grep sysadm
allow_sysadm_exec_content --> on
ssh_sysadm_login --> on
xdm_sysadm_login --> off
# ssh pokuston/sysadm_r@...
$ id -Z
$ sudo -i su -
# id -Z
# logout
Comment 4 Daniel Walsh 2013-07-10 18:21:30 EDT
How about sudo -i runuser -

runuser == su - pam_stack

We have

allow sysadm_su_t sysadm_sudo_t:process sigchld;

In Fedora.
sudo -i runuser - 

Seems to be causing su to run through the pam stack and calling something that is doing a compute_av like pam_selinux, which is not going to work well.
Comment 5 Milos Malik 2013-08-06 10:20:21 EDT
The problem goes away (logout is possible, no AVCs in sight) when following command is used:
sudo -i runuser -

# rpm -qa selinux-policy\*
# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

Note You need to log in before you can comment on or make changes to this bug.