-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
rhel-9.6
-
No
-
Low
-
2
-
rhel-security-selinux
-
1
-
False
-
False
-
-
None
-
SELINUX 251119: 15, SELINUX 251223: 16
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
-
x86_64
-
None
What were you trying to do that didn't work?
Tried to run clevis bind and systemd-cryptenroll commands, which fails.
Upon disabling dontaudit rules found the SELinux denials.
What is the impact of this issue to you?
Unable to work with LUKS device.
Please provide the package NVR for which the bug is seen:
selinux-policy-targeted-38.1.53-2.el9.noarch
tpm2-tss-3.2.3-1.el9.x86_64
cryptsetup-libs-2.7.2-3.el9_5.x86_64
cryptsetup-2.7.2-3.el9_5.x86_64
clevis-21-208.el9.x86_64
clevis-luks-21-208.el9.x86_64
clevis-systemd-21-208.el9.x86_64
systemd-udev-252-51.el9.x86_64
clevis-dracut-21-208.el9.x86_64
How reproducible is this bug?:
100%
Steps to reproduce
- Added staff_u to %wheel group and user dcd
- Added Type and Role conversion on %wheel group to have syadm_r and sysadm_t upon sudo in sudoers.
- Rebooted system to make the changes effective, logged in as user dcd, and elevated access with `sudo -s`
- Tried running the commands clevis bind and systemd-cryptenroll on tpm device
Expected results
No denial
Actual results
AVC Denials
#aureport -a
cryptsetup staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 59 process noatsecure staff_u:sysadm_r:lvm_t:s0-s0:c0.c1023 denied 20199
cryptsetup staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 59 process rlimitinh staff_u:sysadm_r:lvm_t:s0-s0:c0.c1023 denied 20199
cryptsetup staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 59 process siginh staff_u:sysadm_r:lvm_t:s0-s0:c0.c1023 denied 20199
clevis-encrypt- staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 439 chr_file read staff_u:sysadm_r:tpm_device_t:s0-s0:c0.c1023 denied 20229
clevis-encrypt- staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 439 chr_file write staff_u:sysadm_r:tpm_device_t:s0-s0:c0.c1023 denied 20230
tpm2_getcap staff_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 257 chr_file optn system_u:object_r:tpm_device_t:s0 denied 20231
systemd-crypten staff_u:sysadm_r:sysadm_t:s0-s0.c0.c1023 257 blk_file read system_u:object_r:fixed_disk_device_t:s0 denied 20273
systemd-crypten staff_u:sysadm_r:sysadm_t:s0-s0.c0.c1023 257 blk_file open system_u:object_r:fixed_disk_device_t:s0 denied 20273
systemd-crypten staff_u:sysadm_r:sysadm_t:s0-s0.c0.c1023 257 blk_file ioctl system_u:object_r:fixed_disk_device_t:s0 denied 20273
systemd-crypten staff_u:sysadm_r:sysadm_t:s0-s0.c0.c1023 248 key write system_u:system_r:kernel_t:s0 denied 25564
systemd-crypten staff_u:sysadm_r:sysadm_t:s0-s0.c0.c1023 248 chr_file write system_u:system_r:urandom_device_t:s0 denied 25567
systemd-crypten staff_u:sysadm_r:sysadm_t:s0-s0.c0.c1023 248 blk_file write system_u:system_r:fixed_disk_device_t:s0 denied 25568
The ausearch + Audit2allow gives user this:
module luks-tpm 1.0;
require
{ type fixed_disk_device_t; type kernel_t; type lvm_t; type tpm_device_t; type sysadm_t; type urandom_device_t; class chr_file \{ open read write };
class process { noatsecure rlimitinh siginh };
class blk_file { ioctl open read write };
class key { write };
}
- =========== sysadm_t ===========
allow sysadm_t fixed_disk_device_t:blk_file { ioctl open read };
allow sysadm_t lvm_t:process { noatsecure rlimitinh siginh };
allow sysadm_t tpm_device_t:chr_file { open read write };
allow sysadm_t urandom_device_t:chr_file { write };
allow sysadm_t kernel_t:key { write };
```
