Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1679

Users mapped to sysadm_u cannot execute `sudo dnf` command

XMLWordPrintable

    • selinux-policy-3.14.3-132.el8
    • Major
    • sst_security_selinux
    • ssg_security
    • 14
    • None
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Hide

      A confined user (sysadm_u) can successfully run the `sudo dnf update` command. No SELinux denials are triggered during the run.

      Show
      A confined user (sysadm_u) can successfully run the `sudo dnf update` command. No SELinux denials are triggered during the run.
    • Pass
    • Automated
    • Bug Fix
    • Hide
      Cause (the user action or circumstances that trigger the bug):
      Policy does not have a rule to back execution of sudo dnf by users in sysadm_r role.
      Consequence (what the user experience is when the bug occurs):
      Users in the sysadm_r role cannot execute `sudo dnf`.
      Fix (what has changed to fix the bug; do not include overly technical details):
      A rule was added to the policy.
      Result (what happens now that the patch is applied):
      Users in the sysadm_r role can execute `sudo dnf`.
      Show
      Cause (the user action or circumstances that trigger the bug): Policy does not have a rule to back execution of sudo dnf by users in sysadm_r role. Consequence (what the user experience is when the bug occurs): Users in the sysadm_r role cannot execute `sudo dnf`. Fix (what has changed to fix the bug; do not include overly technical details): A rule was added to the policy. Result (what happens now that the patch is applied): Users in the sysadm_r role can execute `sudo dnf`.
    • Proposed
    • None

      Description of problem:

      This is a consequence of not having wanted to fix BZ 1910077.
      Users mapped to sysadm_u cannot execute `sudo dnf` command because `sysadm_sudo_t` context cannot execute DNF command due to missing rule.

      Version-Release number of selected component (if applicable):

      selinux-policy

      How reproducible:

      Always

      Steps to Reproduce:
      1. Create a user mapped to sysadm_u

      1. useradd -G wheel -Z sysadm_u sysadm
      2. echo redhat | passwd --stdin sysadm
      3. setsebool -P ssh_sysadm_login=on

      2. Login as the user and try executing dnf

      1. ssh sysadm@localhost
        $ id -Z
        sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023
        $ sudo dnf update

      Actual results:

      error: cannot open Packages database in /var/lib/rpm
      Error: Error: rpmdb open failed

      Expected results:

      No error

            rhn-support-zpytela Zdenek Pytela
            rhn-support-rmetrich Renaud Métrich
            Zdenek Pytela Zdenek Pytela
            Milos Malik Milos Malik
            Jan Fiala Jan Fiala
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved: