-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-9.6
-
No
-
Low
-
rhel-security-selinux
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
Actions within the cockpit UI generate SELinux denials: (shown while having "dontaudit" enabled):
Output provided by backline:
type=PROCTITLE msg=audit(08/01/2025 14:10:33.651:418) : proctitle=lastlog type=PATH msg=audit(08/01/2025 14:10:33.651:418) : item=0 name=/var/log/lastlog inode=33858567 dev=fd:00 mode=file,664 ouid=root ogid=utmp rdev=00:00 obj=system_u:object_r:lastlog_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(08/01/2025 14:10:33.651:418) : cwd=/ type=SYSCALL msg=audit(08/01/2025 14:10:33.651:418) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x5608767fa835 a2=O_RDONLY a3=0x0 items=1 ppid=2085 pid=2238 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=11 comm=lastlog exe=/usr/bin/lastlog subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/01/2025 14:10:33.651:418) : avc: denied { read } for pid=2238 comm=lastlog name=lastlog dev="dm-0" ino=33858567 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=0
type=PROCTITLE msg=audit(08/01/2025 14:12:42.128:424) : proctitle=/usr/bin/python3 /usr/bin/cockpit-bridge type=PATH msg=audit(08/01/2025 14:12:42.128:424) : item=0 name=/proc/self/fd/15 inode=50501936 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:home_root_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(08/01/2025 14:12:42.128:424) : cwd=/ type=SYSCALL msg=audit(08/01/2025 14:12:42.128:424) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0xd a1=0x7ffd1825e710 a2=0x87c0 a3=0xf items=1 ppid=2065 pid=2085 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=11 comm=cockpit-bridge exe=/usr/bin/python3.9 subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/01/2025 14:12:42.128:424) : avc: denied { watch } for pid=2085 comm=cockpit-bridge path=/home dev="dm-0" ino=50501936 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir permissive=0
type=PROCTITLE msg=audit(08/01/2025 14:15:07.099:435) : proctitle=/usr/libexec/platform-python -c #\012# This file is part of Cockpit.\012#\012# Copyright (C) 2017 Red Hat, Inc.\012#\012# Cockpit is free softw type=PATH msg=audit(08/01/2025 14:15:07.099:435) : item=0 name=/var/cache inode=29635 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:var_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(08/01/2025 14:15:07.099:435) : cwd=/ type=SYSCALL msg=audit(08/01/2025 14:15:07.099:435) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7f17cfb3b910 a2=0xfc8 a3=0x0 items=1 ppid=2085 pid=2593 auid=staff uid=staff gid=staff euid=staff suid=staff fsuid=staff egid=staff sgid=staff fsgid=staff tty=(none) ses=11 comm=platform-python exe=/usr/bin/python3.9 subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/01/2025 14:15:07.099:435) : avc: denied { watch } for pid=2593 comm=platform-python path=/var/cache dev="dm-0" ino=29635 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0
Steps to reproduce
- Configure cockpit
- Create staff_u user
- Configure sudoers
- Login to webconsole from another system with the staff_u account.
- Click on various items within the console to generate denials:
sudoers entry to match customer configuration changes:
%wheel ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL
Connect to cockpit via web browser:
