Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: rhel-9.4
Affects Version/s: rhel-9.2.0
Component/s: selinux-policy
Labels:
- AutoVerified

Fixed in Build:
selinux-policy-38.1.30-1.el9
Regression:
None
Severity:
Moderate

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
20
Story Points:
None
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Products:

Red Hat Enterprise Linux
Sprint:
None

Acceptance Criteria:

Hide

System administrator that is confined by SELinux (sysadm_u) can successfully run the tcpdump command via sudo. No SELinux denials are triggered during the run.

Show
System administrator that is confined by SELinux (sysadm_u) can successfully run the tcpdump command via sudo. No SELinux denials are triggered during the run.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/121166
Test Coverage:

Automated

Release Note Type:
Bug Fix
Release Note Text:

Hide
.SELinux policy contains rules for additional services and applications

This version of the `selinux-policy` package contains additional rules. Most notably, users in the `sysadm_r` role can execute the following commands:

* `sudo traceroute` (RHEL-14077)
* `sudo tcpdump` (~~RHEL-15432~~)

Show
.SELinux policy contains rules for additional services and applications This version of the `selinux-policy` package contains additional rules. Most notably, users in the `sysadm_r` role can execute the following commands: * `sudo traceroute` (RHEL-14077) * `sudo tcpdump` ( RHEL-15432 )
Release Note Status:
Done

Experience:

PX Impact Score:
PX Priority Data:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

Users mapped to sysadm_u cannot execute `sudo tcpdump` command because `tcpdump` executes in `sysadm_sudo_t` context due to missing rule to transition.

Please provide the package NVR for which bug is seen:

selinux-policy

How reproducible:

Always

Steps to reproduce

Execute `sudo tcpdump` from a confined user mapped to `sysadm_u`

Expected results

Works

Actual results

Fails

clones

RHEL-15398 Confined sysadm cannot execute "sudo tcpdump" command [rhel-8]

Closed

is cloned by

RHEL-57604 Confined sysadm cannot execute "sudo tcpdump" command [rhel-10]

Closed

links to

RHBA-2023:121166 selinux-policy bug fix and enhancement update

TCMS Test Case 57515

Assignee:: Zdenek Pytela

Reporter:: Renaud Métrich

Need Info From:: Zdenek Pytela

Developer:: Nikola Kňažeková (Inactive)

QA Contact:: Milos Malik

Doc Contact:: Jan Fiala

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2023/11/03 12:24 PM

Updated:: 2024/09/23 6:40 PM

Resolved:: 2024/04/30 10:13 AM

Target end:: 2024/01/15

Release Date:: 2024/04/30

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates