RHEL7.6: sudo'ing from confined user takes 25 seconds (d-bus timeout) then succeeds

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7.6
    • sudo
    • confined users with sudo privileges
    • selinux-policy < 3.13.1-229.el7_6.10

Issue

  • sudo'ing from confined user (e.g. staff_u) takes 25 seconds (d-bus timeout) then succeeds

    $ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023
$ time sudo true
real    0m25.106s
user    0m0.013s
sys 0m0.058s

Resolution

  • Please update the selinux-policy packages to selinux-policy-3.13.1-229.el7_6.10 shipped with Advisory RHBA-2019:0811 or later

  • If this is not possible, consider applying the solution below

  • Create the custom SELinux module by creating the sudo-bz1687452.te file with following content

    module sudo-bz1687452 1.0;

require {
    type systemd_logind_sessions_t;
    attribute sudodomain;
    class fifo_file write;
}

allow sudodomain systemd_logind_sessions_t:fifo_file write;

  • Compile the sudo-bz1687452 module

    # yum -y install selinux-policy-devel
# make -f /usr/share/selinux/devel/Makefile sudo-bz1687452.pp

  • Install the sudo-bz1687452 module

    # semodule -i sudo-bz1687452.pp

Root Cause

Previously sudodomain wasn't allowed to write to systemd_logind_sessions_t pipes and therefore d-bus timeout occurred.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments