Confined user mapped to staff_u or sysadm_u SELinux user gets AVC denies when sudoing
Issue
-
Linux users mapped to staff_u or sysadm_u SELinux user get AVC denies when sudoing
-
When using
pam_ssh_agent_auth# ausearch -ts recent -m avc ---- time->... type=PROCTITLE msg=audit(...): proctitle=7375646F002D69 type=PATH msg=audit(...): item=0 name="/tmp/ssh-usU44XZkXy/agent.6167" ... obj=staff_u:object_r:user_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(...): cwd="/home/staff" type=SYSCALL msg=audit(...): arch=c000003e syscall=4 success=no exit=-13 ... comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(...): avc: denied { getattr } for pid=xxx comm="sudo" path="/tmp/ssh-usU44XZkXy/agent.6167" ... scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_tmp_t:s0 tclass=sock_file -
When enabling
sudo-io# ausearch -t recent -m avc ---- time->... type=PROCTITLE msg=audit(...): proctitle=7375646F002D69 type=PATH msg=audit(...): item=1 name="/var/log/sudo-io/seq" ... dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_log_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PATH msg=audit(...): item=0 name="/var/log/sudo-io/" ... dev=fd:00 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_log_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=CWD msg=audit(...): cwd="/home/staff" type=SYSCALL msg=audit(...): arch=c000003e syscall=2 success=yes exit=6 ... comm="sudo" exe="/usr/bin/sudo" subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(...): avc: denied { open } for pid=xxx comm="sudo" path="/var/log/sudo-io/seq" ... scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file type=AVC msg=audit(...): avc: denied { read write } for pid=xxx comm="sudo" name="seq" ... scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file ...
-
Environment
- Red Hat Enterprise Linux 7
- sudo
- pam_ssh_agent_auth
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
