Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: rhel-8.10
Affects Version/s: rhel-8.8.0
Component/s: selinux-policy
Labels:
- AutoVerified

Fixed in Build:
selinux-policy-3.14.3-133.el8
Regression:
None
Severity:
Moderate

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
20
Story Points:
None
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Products:

Red Hat Enterprise Linux
Sprint:
None

Acceptance Criteria:

Hide

System administrator that is confined by SELinux (sysadm_u) can successfully run the tcpdump command via sudo. No SELinux denials are triggered during the run.

Show
System administrator that is confined by SELinux (sysadm_u) can successfully run the tcpdump command via sudo. No SELinux denials are triggered during the run.
Preliminary Testing:
Pass
Errata Link:
https://errata.devel.redhat.com/advisory/121335
Test Coverage:

Automated

Release Note Type:
Bug Fix
Release Note Text:

Hide
.SELinux policy contains rules for additional services and applications

This version of the `selinux-policy` package contains additional rules. Most notably, users in the `sysadm_r` role can execute the following commands:

* `sudo traceroute`
* `sudo tcpdump`
* `sudo dnf`

Show
.SELinux policy contains rules for additional services and applications This version of the `selinux-policy` package contains additional rules. Most notably, users in the `sysadm_r` role can execute the following commands: * `sudo traceroute` * `sudo tcpdump` * `sudo dnf`
Release Note Status:
Done

Experience:

PX Impact Score:
PX Priority Data:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

Users mapped to sysadm_u cannot execute `sudo tcpdump` command because `tcpdump` executes in `sysadm_sudo_t` context due to missing rule to transition.

Please provide the package NVR for which bug is seen:

selinux-policy

How reproducible:

Always

Steps to reproduce

Execute `sudo tcpdump` from a confined user mapped to `sysadm_u`

Expected results

Works

Actual results

Fails

is cloned by

RHEL-15432 Confined sysadm cannot execute "sudo tcpdump" command [rhel-9]

Closed

links to

Allow sysadm execute tcpdump in sysadm_t domain using sudo

RHBA-2023:121335 selinux-policy bug fix and enhancement update

TCMS Test Case 57515

mentioned on

Commit - * Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-133

Merge request - * Wed Dec 13 2023 Zdenek Pytela <zpytela@redhat.com> - 3.14.3-133

(1 mentioned on)

Assignee:: Zdenek Pytela

Reporter:: Renaud Métrich

Developer:: Nikola Kňažeková (Inactive)

QA Contact:: Milos Malik

Doc Contact:: Jan Fiala

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2023/11/03 8:25 AM

Updated:: 2024/09/23 6:40 PM

Resolved:: 2024/05/22 9:54 AM

Target end:: 2024/01/15

Release Date:: 2024/05/22

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates