Project

General

Profile

Bug #44944

type=AVC msg=audit(1585577327.422:6421): avc: denied { open } for pid=27385 comm="sudo" path="/run/utmp" dev="tmpfs" ino=1191 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1

Added by Brad Hubbard 4 months ago.

Status:
New
Priority:
High
Assignee:
-
Category:
-
Target version:
-
% Done:

0%

Source:
Q/A
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature:

Description

http://pulpito.ceph.com/bhubbard-2020-03-30_11:17:25-ceph-ansible-wip-badone-testing-distro-basic-smithi/4906560/

# sealert -l 018efd9d-700d-4e9c-9eeb-d99976cf269a
SELinux is preventing /usr/bin/sudo from lock access on the file /run/utmp.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that sudo should be allowed lock access on the utmp file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sudo' --raw | audit2allow -M my-sudo
# semodule -X 300 -i my-sudo.pp

Additional Information:
Source Context                system_u:system_r:ceph_t:s0
Target Context                system_u:object_r:initrc_var_run_t:s0
Target Objects                /run/utmp [ file ]
Source                        sudo
Source Path                   /usr/bin/sudo
Port                          <Unknown>
Host                          smithi203
Source RPM Packages           sudo-1.8.25p1-8.el8_1.1.x86_64
Target RPM Packages           systemd-239-18.el8_1.4.x86_64
Policy RPM                    selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     smithi203
Platform                      Linux smithi203 4.18.0-147.el8.x86_64 #1 SMP Wed
                              Dec 4 21:51:45 UTC 2019 x86_64 x86_64
Alert Count                   1
First Seen                    2020-04-06 01:37:58 UTC
Last Seen                     2020-04-06 01:37:58 UTC
Local ID                      018efd9d-700d-4e9c-9eeb-d99976cf269a

Raw Audit Messages
type=AVC msg=audit(1586137078.982:3342): avc:  denied  { lock } for  pid=18582 comm="sudo" path="/run/utmp" dev="tmpfs" ino=14502 scontext=system_u:system_r:ceph_t:s0 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file permissive=1

type=SYSCALL msg=audit(1586137078.982:3342): arch=x86_64 syscall=fcntl success=yes exit=0 a0=8 a1=7 a2=7ffffbc9a570 a3=8 items=0 ppid=18581 pid=18582 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sudo exe=/usr/bin/sudo subj=system_u:system_r:ceph_t:s0 key=(null)

Hash: sudo,ceph_t,initrc_var_run_t,file,lock

# ausearch -c 'sudo' --raw | audit2allow -M my-sudo && cat my-sudo.te 
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-sudo.pp

module my-sudo 1.0;

require {
        type initrc_var_run_t;
        type sudo_exec_t;
        type ceph_t;
        class file { execute execute_no_trans lock map open read };
        class capability { audit_write sys_resource };
        class process setrlimit;
        class netlink_audit_socket { create nlmsg_relay };
}

#============= ceph_t ==============
allow ceph_t initrc_var_run_t:file { lock open read };
allow ceph_t self:capability { audit_write sys_resource };
allow ceph_t self:netlink_audit_socket { create nlmsg_relay };
allow ceph_t self:process setrlimit;

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow ceph_t sudo_exec_t:file map;
allow ceph_t sudo_exec_t:file { execute execute_no_trans open read };

Related issues

Related to Ceph - Bug #40683: selinux allow ceph_t to call sudo Can't reproduce

History

#1 Updated by Brad Hubbard 4 months ago

  • Related to Bug #40683: selinux allow ceph_t to call sudo added

Also available in: Atom PDF