Loading...

Type: Bug
Resolution: Unresolved
Priority: Minor
Fix Version/s: rhel-9.8
Affects Version/s: rhel-9.6
Component/s: selinux-policy
Labels:

Regression:
No
Severity:
Moderate
Epic Link:
SELINUX-4342

AssignedTeam:
rhel-security-selinux

Story Points:
2
ACKs Check:

QE ack
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Acceptance Criteria:

Hide

The reproducer does not trigger SELinux denials.

Show
The reproducer does not trigger SELinux denials.
Preliminary Testing:
None
Test Coverage:

Automated

ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:
Architecture:

All

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

When crontab (crontab_t) tries to write into crontab file, SELinux denials of write permission into file (user_home_dir_t) appear.

What is the impact of this issue to you?

SELinux denials were shown, there is no impact on test itself.

Please provide the package NVR for which the bug is seen:

# rpm -qa | grep selinux
libselinux-3.6-3.el9.x86_64
libselinux-utils-3.6-3.el9.x86_64
python3-libselinux-3.6-3.el9.x86_64
rpm-plugin-selinux-4.16.1.3-37.el9.x86_64
selinux-policy-38.1.53-5.el9_6.noarch
selinux-policy-targeted-38.1.53-5.el9_6.noarch
selinux-policy-devel-38.1.53-5.el9_6.noarch
# rpm -qa | grep sudo
sudo-1.9.5p2-10.el9_3.x86_64
libsss_sudo-2.9.6-4.el9_6.2.x86_64

How reproducible is this bug?

Always

Steps to reproduce

reserve RHEL-9.6 machine
git clone https://pkgs.devel.redhat.com/git/tests/selinux-policy

run the following command:

tmt --context distro=RHEL-9.6 run plan --default -vvv prepare discover -h fmf -t /Regression/users-run-sudo-crontab -vv provision -h connect -g IP -u root execute --how tmt --interactive login finish -vvv

Expected results

No AVCs.

Actual results

There are AVCs.

Detailed test log:

[1] https://artifacts.osci.redhat.com/testing-farm/e3e55205-e696-4f20-b7b5-d0632eb0ca68/work-stable-testspqebuc_7/Plans/general/stable-tests/execute/data/guest/default-0/Downstream_selinux_tests/Regression/users-run-sudo-crontab-92/output.txt

----
type=PROCTITLE msg=audit(06/27/2025 13:43:37.313:11965) : proctitle=/usr/bin/vim /tmp/crontab.GIpQSY 
type=PATH msg=audit(06/27/2025 13:43:37.313:11965) : item=0 name=/home/user10785/ inode=25999488 dev=fd:02 mode=dir,700 ouid=user10785 ogid=user10785 rdev=00:00 obj=staff_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/27/2025 13:43:37.313:11965) : cwd=/home/user10785 
type=SYSCALL msg=audit(06/27/2025 13:43:37.313:11965) : arch=s390x syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x2aa338a4930 a2=O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW a3=0x180 items=1 ppid=686851 pid=686856 auid=user10785 uid=user10785 gid=user10785 euid=user10785 suid=user10785 fsuid=user10785 egid=user10785 sgid=user10785 fsgid=user10785 tty=(none) ses=67 comm=vim exe=/usr/bin/vim subj=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/27/2025 13:43:37.313:11965) : avc:  denied  \{ write } for  pid=686856 comm=vim name=user10785 dev="vda2" ino=25999488 scontext=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(06/27/2025 13:43:53.693:12062) : proctitle=/usr/bin/vim /tmp/crontab.a0voD1 
type=PATH msg=audit(06/27/2025 13:43:53.693:12062) : item=0 name=/home/user10785/ inode=25999488 dev=fd:02 mode=dir,700 ouid=user10785 ogid=user10785 rdev=00:00 obj=staff_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/27/2025 13:43:53.693:12062) : cwd=/home/user10785 
type=SYSCALL msg=audit(06/27/2025 13:43:53.693:12062) : arch=s390x syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x2aa1cd74970 a2=O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW a3=0x180 items=1 ppid=687151 pid=687156 auid=user10785 uid=user10785 gid=user10785 euid=user10785 suid=user10785 fsuid=user10785 egid=user10785 sgid=user10785 fsgid=user10785 tty=(none) ses=71 comm=vim exe=/usr/bin/vim subj=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/27/2025 13:43:53.693:12062) : avc:  denied  \{ write } for  pid=687156 comm=vim name=user10785 dev="vda2" ino=25999488 scontext=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(06/27/2025 13:44:21.943:12183) : proctitle=/usr/bin/vim /tmp/crontab.9iXQt1 
type=PATH msg=audit(06/27/2025 13:44:21.943:12183) : item=0 name=/home/user29865/ inode=26621440 dev=fd:02 mode=dir,700 ouid=user29865 ogid=user29865 rdev=00:00 obj=sysadm_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/27/2025 13:44:21.943:12183) : cwd=/home/user29865 
type=SYSCALL msg=audit(06/27/2025 13:44:21.943:12183) : arch=s390x syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x2aa0c9345b0 a2=O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW a3=0x180 items=1 ppid=687638 pid=687643 auid=user29865 uid=user29865 gid=user29865 euid=user29865 suid=user29865 fsuid=user29865 egid=user29865 sgid=user29865 fsgid=user29865 tty=(none) ses=74 comm=vim exe=/usr/bin/vim subj=sysadm_u:sysadm_r:admin_crontab_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/27/2025 13:44:21.943:12183) : avc:  denied  \{ write } for  pid=687643 comm=vim name=user29865 dev="vda2" ino=26621440 scontext=sysadm_u:sysadm_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0 
----
type=PROCTITLE msg=audit(06/27/2025 13:44:37.243:12277) : proctitle=/usr/bin/vim /tmp/crontab.4FzIR2 
type=PATH msg=audit(06/27/2025 13:44:37.243:12277) : item=0 name=/home/user29865/ inode=26621440 dev=fd:02 mode=dir,700 ouid=user29865 ogid=user29865 rdev=00:00 obj=sysadm_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(06/27/2025 13:44:37.243:12277) : cwd=/home/user29865 
type=SYSCALL msg=audit(06/27/2025 13:44:37.243:12277) : arch=s390x syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x2aa3d8385f0 a2=O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW a3=0x180 items=1 ppid=687937 pid=687942 auid=user29865 uid=user29865 gid=user29865 euid=user29865 suid=user29865 fsuid=user29865 egid=user29865 sgid=user29865 fsgid=user29865 tty=(none) ses=78 comm=vim exe=/usr/bin/vim subj=sysadm_u:sysadm_r:admin_crontab_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(06/27/2025 13:44:37.243:12277) : avc:  denied  \{ write } for  pid=687942 comm=vim name=user29865 dev="vda2" ino=26621440 scontext=sysadm_u:sysadm_r:admin_crontab_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
----

relates to

RHEL-31888 Confined user cannot list/edit a crontab via sudo [rhel-9]

Closed

links to

TCMS Test Case 617165

Details

Description

What were you trying to do that didn't work?

What is the impact of this issue to you?

Please provide the package NVR for which the bug is seen:

How reproducible is this bug?

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide