Confined user mapped to sysadm_u SELinux user gets AVC denies
Issue
-
Linux users mapped to sysadm_u SELinux user get various AVC denies
-
When using
su, X11 related AVC denies# ausearch -ts recent -m avc ---- type=AVC msg=audit(...) : avc: denied { read write open } for pid=xxx comm=su path=/root/.xauth1rWyvH ... scontext=sysadm_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file type=AVC msg=audit(...) : avc: denied { create } for pid=xxx comm=su name=.xauth1rWyvH scontext=sysadm_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file type=AVC msg=audit(...) : avc: denied { add_name } for pid=xxx comm=su name=.xauth1rWyvH scontext=sysadm_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir type=AVC msg=audit(...) : avc: denied { write } for pid=xxx comm=su name=root ... scontext=sysadm_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir -
When using
su,rpmandyumcommands fail with AVCs denies# id -Z sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 # yum check-update bash: /usr/bin/yum: /usr/bin/python: bad interpreter: Permission denied # ausearch -ts recent -m SELINUX_ERR ---- time->... type=PROCTITLE msg=audit(...): proctitle="bash" type=PATH msg=audit(...): item=0 name="/usr/bin/yum" ... obj=system_u:object_r:rpm_exec_t:s0 objtype=NORMAL type=CWD msg=audit(...): cwd="/home/sysadm" type=SYSCALL msg=audit(...): ... comm="bash" exe="/usr/bin/bash" subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(...): op=security_compute_sid invalid_context=sysadm_u:system_r:rpm_t:s0-s0:c0.c1023 scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=process -
After logging in, DBus related USER-AVC denies
# ausearch -ts boot -m USER_AVC ---- time->... type=USER_AVC msg=audit(...): ... subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.63 ... scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->... type=USER_AVC msg=audit(...): ... subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.problems member=GetProblems dest=:1.63 ... scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
-
Environment
- Red Hat Enterprise Linux 7
- selinux-policy-targeted
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Close
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.