Confined user mapped to sysadm_u SELinux user gets AVC denies
Issue
-
Linux users mapped to sysadm_u SELinux user get various AVC denies
-
When using
su
, X11 related AVC denies# ausearch -ts recent -m avc ---- type=AVC msg=audit(...) : avc: denied { read write open } for pid=xxx comm=su path=/root/.xauth1rWyvH ... scontext=sysadm_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file type=AVC msg=audit(...) : avc: denied { create } for pid=xxx comm=su name=.xauth1rWyvH scontext=sysadm_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xauth_home_t:s0 tclass=file type=AVC msg=audit(...) : avc: denied { add_name } for pid=xxx comm=su name=.xauth1rWyvH scontext=sysadm_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir type=AVC msg=audit(...) : avc: denied { write } for pid=xxx comm=su name=root ... scontext=sysadm_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
-
When using
su
,rpm
andyum
commands fail with AVCs denies# id -Z sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 # yum check-update bash: /usr/bin/yum: /usr/bin/python: bad interpreter: Permission denied # ausearch -ts recent -m SELINUX_ERR ---- time->... type=PROCTITLE msg=audit(...): proctitle="bash" type=PATH msg=audit(...): item=0 name="/usr/bin/yum" ... obj=system_u:object_r:rpm_exec_t:s0 objtype=NORMAL type=CWD msg=audit(...): cwd="/home/sysadm" type=SYSCALL msg=audit(...): ... comm="bash" exe="/usr/bin/bash" subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(...): op=security_compute_sid invalid_context=sysadm_u:system_r:rpm_t:s0-s0:c0.c1023 scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=process
-
After logging in, DBus related USER-AVC denies
# ausearch -ts boot -m USER_AVC ---- time->... type=USER_AVC msg=audit(...): ... subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=GetAll dest=:1.63 ... scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->... type=USER_AVC msg=audit(...): ... subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.problems member=GetProblems dest=:1.63 ... scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
-
Environment
- Red Hat Enterprise Linux 7
- selinux-policy-targeted
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.