Confined users in sysadm_r role can execute `subscription-manager` command after sudo'ing, but AVCs are seen in the audit log
Issue
-
When a user is confined, switches role to
sysadm_rand tries to executesudo subscription-manager, AVCs are seen but the command succeedstype=PROCTITLE msg=audit(...) : proctitle=/usr/libexec/platform-python /sbin/subscription-manager register --username rhn-support-rmetrich type=SYSCALL msg=audit(...) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD ... comm=subscription-ma exe=/usr/libexec/platform-python3.6 subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(...) : avc: denied { read } for pid=... comm=subscription-ma name=mem dev="devtmpfs" ino=... scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_device_t:s0 tclass=chr_file permissive=0 -
Additionally, on RHEL7 only, another AVC shows up related to
dmidecodetype=PROCTITLE msg=audit(...): proctitle="dmidecode" type=PATH msg=audit(...): item=1 name="/lib64/ld-linux-x86-64.so.2" ... type=PATH msg=audit(...): item=0 name="/sbin/dmidecode" ... obj=system_u:object_r:dmidecode_exec_t:s0 objtype=NORMAL ... type=EXECVE msg=audit(...): argc=1 a0="dmidecode" type=SYSCALL msg=audit(...): ... syscall=59 success=yes exit=0 ... comm="dmidecode" exe="/usr/sbin/dmidecode" subj=staff_u:sysadm_r:dmidecode_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(...): avc: denied { read write } for ... comm="dmidecode" path="/var/lib/rhsm/facts/facts.json" ... scontext=staff_u:sysadm_r:dmidecode_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rhsmcertd_var_lib_t:s0 tclass=file permissive=0
Environment
- Red Hat Enterprise Linux 7
- subscription-manager
- confined
sysadm_uusers andstaff_uusers
- Red Hat Enterprise Linux 8
- subscription-manager
- confined
sysadm_uusers andstaff_uusers
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
