-
Bug
-
Resolution: Unresolved
-
Normal
-
rhel-9.6
-
selinux-policy-38.1.69-1.el9
-
No
-
Low
-
1
-
rhel-security-selinux
-
16
-
2
-
False
-
False
-
-
No
-
SELINUX 251223: 16
-
Unspecified Release Note Type - Unknown
-
Unspecified
-
Unspecified
-
Unspecified
-
None
What were you trying to do that didn't work?
Logging into the cockpit web console with staff_u users fails with below error:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Red Hat Enterprise Linux
Internal error in login process
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This does not impact user_u or sysadm_u users.
From Backline testing:
With disabling dontaudit rules, the following AVCs pop up (I stripped normal "dontaudit" rules from the output):
{{# ausearch -m avc,user_avc -i -ts recent | audit2allow }}
{{#============= staff_t ============== }}
allow staff_t cockpit_session_t:unix_stream_socket { read write };
With creating the following module and installing it, it seems to work:
# echo "(allow staff_t cockpit_session_t (unix_stream_socket (read write)))" > cockpit_staff.cil
# semodule -i cockpit_staff.cil
This issue is not seen in RHEL 8 and there appear to be no defined staff_u rules for this appearing in sesearch.
Steps to reproduce
- Configure cockpit
- Create staff_u user
- Configure sudoers
- Login to webconsole from another system with the staff_u account.
[root@R9 ~]# semanage login -l
Login Name SELinux User MLS/MCS Range Service
%wheel staff_u s0-s0:c0.c1023 *
{}default{} unconfined_u s0-s0:c0.c1023 *
cpit staff_u s0-s0:c0.c1023 *
root unconfined_u s0-s0:c0.c1023 *
sudoers entry to match customer configuration changes:
%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL
Connect to cockpit via web browser:
Actual results
Below error is seen:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Red Hat Enterprise Linux Internal error in login process ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- links to
-
RHBA-2025:155428
selinux-policy update