Loading...

Linking RHIVOS CVEs to...

Migration: Automation ...

SWIFT: POC Conversion

Sync from "Extern...

XML

Word

Printable

Type: Bug
Resolution: Won't Do
Priority: Normal
Fix Version/s: rhel-8.10
Affects Version/s: rhel-8.5.0
Component/s: selinux-policy
Labels:
- MigratedToJIRA
- Triaged

Fixed in Build:
selinux-policy-3.14.3-116.el8
Regression:
None
Severity:
Moderate

AssignedTeam:
rhel-security-selinux
Sub-System Group:

ssg_security

Story Points:
None
Target Version:

rhel-8.9.0
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
None
Test Coverage:

Automated

Release Note Type:
Release Note Not Required

Experience:
Architecture:

All
Bugzilla Bug:
RHBZ: 2039662

PX Impact Score:
PX Priority Data:
PX Review Complete:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None
Internal Target Milestone numeric:
57,005

This bug was initially created as a copy of Bug #2039658

I am copying this bug because:

Also applies to RHEL8

Description of problem:

Confined users mapped to sysadm_u SELinux user cannot execute "service xxx status" or "service xxx restart" commands, as shown in the examples below:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[sysadm@vm-confined8 ~]$ service foo status
env: /etc/init.d/foo: Permission denied
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The root cause is missing rules to allow the transition to initrc_t to happen when "service" internally executes /etc/rc.d/init.d/xxx script.
Note: on RHEL7 (BZ #2039658) adding a rule was sufficient to make this work (see the "Additional info" in the BZ), but it doesn't seem the case on RHEL8.

Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-80.el8_5.2.noarch

How reproducible:

Always

Steps to Reproduce:
1. Map a user to sysadm_u

2. Create a SysV initscript /etc/rc.d/init.d/foo

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
#!/bin/sh
#

foo: FOO SysV initscript
#
chkconfig: 345 97 03

case "$1" in
start)
echo "START called"
;;
stop)
echo "STOP called"
;;
restart)
echo "RESTART called"
;;
status)
echo "STATUS called"
;;
reload)
echo "RELOAD called"
;;
*)
exit 2
esac
exit 0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

3. Make it executable and a proper SysV initscript

chmod +x /etc/rc.d/init.d/foo
restorecon -Fv /etc/rc.d/init.d/foo

4. Try executing "service foo status" command

Actual results:

No AVC, but Permission denied
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
env: ‘/etc/init.d/foo’: Permission denied
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Expected results:

Proper execution

Additional info:

SysV initscripts are still supposed to work fine on RHEL8, per /etc/rc.d/init.d/README note.

Note that "service xxx status" can be different than "systemctl status xxx" for SysV initscripts: it's SysV initscript implementation dependent, e.g. "service network status" output is different than "systemctl status network".
Hence using "systemctl status xxx" cannot be considered as a workaround.

external trackers

Github fedora-selinux/selinux-policy/pull/1174

Github fedora-selinux/selinux-policy/pull/1597

Red Hat Customer Portal 03119160

Red Hat Issue Tracker RHELPLAN-107533

TCMS Test Case 604973