Confined users cannot execute scripts labeled with "user_tmp_t" (typically scripts in /var/tmp) using sudo
Issue
-
Executing a script in
/var/tmpundersudowhile being a confined user is denied, as shown in the example below$ id -Z sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 $ sudo /var/tmp/myscript sudo: unable to execute /var/tmp/myscript: Permission denied -
The following AVC is seen in the audit log
type=PATH msg=audit(...): item=0 name="/var/tmp/myscript" ... obj=unconfined_u:object_r:user_tmp_t:s0 ... type=CWD msg=audit(...): cwd="/home/sysadm" type=SYSCALL msg=audit(....): arch=c000003e syscall=59 success=no exit=-13 ... comm="sudo" exe="/usr/bin/sudo" subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(...): avc: denied { entrypoint } for ... comm="sudo" path="/var/tmp/myscript" ... scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0
Environment
- Red Hat Enterprise Linux 6 and later
- sudo
- confined users
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
