-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-9.6.z
-
No
-
Low
-
rhel-security-selinux
-
3
-
False
-
False
-
-
No
-
None
-
None
-
None
-
Unspecified Release Note Type - Unknown
-
Unspecified
-
Unspecified
-
Unspecified
-
-
All
-
None
What were you trying to do that didn't work?
After mapping a given user to sysadm_u, our customer observe multiple AVC after gaining "administrative access" in cockpit, or when clicking on the VM tab. I'm sharing here a reproducer for these two AVCs, but the customer reports other AVCs that I'll share in a separate comment.
What is the impact of this issue to you?
I understand some operations may fail, and the customer expects a dedicated policy for such contexts.
Please provide the package NVR for which the bug is seen:
selinux-policy-38.1.53-5.el9_6.noarch
selinux-policy-targeted-38.1.53-5.el9_6.noarch
How reproducible is this bug?:
Always
Steps to reproduce
1/ create a tester user belonging to the platadm group
# groupadd platadm # semanage login -a -s sysadm_u %platadm # useradd -g platadm tester # passwd tester
2/ edit /etc/sudoers and insert the following line
%platadm ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL
3/ [optional] allow ssh login to check the context
# setsebool -P ssh_sysadm_login on
And check the context
$ ssh tester@192.168.124.10 id uid=1000(tester) gid=1000(platadm) groups=1000(platadm) context=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
4/ Install cockpit
# dnf install cockpit cockpit-machines
5/ Login to cockpit as the user 'tester', and click to gain 'Administrative access'. Then click on the VM tab, and observe the AVC denials with
# ausearch -m avc
Expected results
No denials.
Actual results
time->Wed Aug 6 16:12:43 2025 type=PROCTITLE msg=audit(1754489563.432:86): proctitle=7375646F002D6B002D4100636F636B7069742D627269646765002D2D70726976696C65676564 type=SYSCALL msg=audit(1754489563.432:86): arch=c000003e syscall=16 success=no exit=-13 a0=2 a1=5413 a2=7ffc27f4ed70 a3=0 items=0 ppid=1541 pid=1542 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="sudo" exe="/usr/bin/sudo" subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1754489563.432:86): avc: denied { ioctl } for pid=1542 comm="sudo" path="socket:[17327]" dev="sockfs" ino=17327 ioctlcmd=0x5413 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 ---- time->Wed Aug 6 16:12:43 2025 type=PROCTITLE msg=audit(1754489563.711:89): proctitle=7375646F002D6B002D4100636F636B7069742D627269646765002D2D70726976696C65676564 type=SYSCALL msg=audit(1754489563.711:89): arch=c000003e syscall=16 success=no exit=-13 a0=2 a1=5401 a2=7ffc27f49990 a3=8 items=0 ppid=1541 pid=1542 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm="sudo" exe="/usr/bin/sudo" subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1754489563.711:89): avc: denied { ioctl } for pid=1542 comm="sudo" path="socket:[17327]" dev="sockfs" ino=17327 ioctlcmd=0x5401 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 ---- time->Wed Aug 6 16:12:43 2025 type=PROCTITLE msg=audit(1754489563.714:93): proctitle=7375646F002D6B002D4100636F636B7069742D627269646765002D2D70726976696C65676564 type=SYSCALL msg=audit(1754489563.714:93): arch=c000003e syscall=16 success=no exit=-13 a0=2 a1=5401 a2=7ffc27f4d800 a3=7f27cffb0c40 items=0 ppid=1541 pid=1542 auid=1000 uid=1000 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="sudo" exe="/usr/bin/sudo" subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1754489563.714:93): avc: denied { ioctl } for pid=1542 comm="sudo" path="socket:[17327]" dev="sockfs" ino=17327 ioctlcmd=0x5401 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 ---- time->Wed Aug 6 16:16:42 2025 type=PROCTITLE msg=audit(1754489802.252:362): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F75743D313230 type=SYSCALL msg=audit(1754489802.252:362): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f858df67e24 a2=0 a3=0 items=0 ppid=1524 pid=4009 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="daemon-init" exe="/usr/sbin/virtqemud" subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1754489802.252:362): avc: denied { read } for pid=4009 comm="daemon-init" name="kvm" dev="devtmpfs" ino=569 scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:kvm_device_t:s0 tclass=chr_file permissive=0 ---- time->Wed Aug 6 16:16:42 2025 type=PROCTITLE msg=audit(1754489802.576:364): proctitle=2F7573722F6C6962657865632F71656D752D6B766D002D53002D6E6F2D757365722D636F6E666967002D6E6F64656661756C7473002D6E6F67726170686963002D6D616368696E65006E6F6E652C616363656C3D6B766D3A746367002D716D7000756E69783A2F686F6D652F7465737465722F2E636F6E6669672F6C69627669 type=SYSCALL msg=audit(1754489802.576:364): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=562fc9e4ee1e a2=80002 a3=0 items=0 ppid=1524 pid=4142 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1754489802.576:364): avc: denied { read write } for pid=4142 comm="qemu-kvm" name="kvm" dev="devtmpfs" ino=569 scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:kvm_device_t:s0 tclass=chr_file permissive=0 ---- time->Wed Aug 6 16:16:43 2025 type=PROCTITLE msg=audit(1754489803.094:366): proctitle=2F7573722F7362696E2F7669727471656D7564002D2D74696D656F75743D313230 type=SYSCALL msg=audit(1754489803.094:366): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7f858df67e24 a2=0 a3=0 items=0 ppid=1524 pid=4009 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="rpc-virtqemud" exe="/usr/sbin/virtqemud" subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1754489803.094:366): avc: denied { read } for pid=4009 comm="rpc-virtqemud" name="kvm" dev="devtmpfs" ino=569 scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:kvm_device_t:s0 tclass=chr_file permissive=0
