Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-24946

Cannot execute "tlog-rec" as a confined user [rhel-9]

XMLWordPrintable

    • selinux-policy-38.1.32-1.el9
    • None
    • Moderate
    • rhel-sst-security-selinux
    • ssg_security
    • 25
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • None
    • Hide

      When a confined user executes the tlog-rec command, it does not produce any failed messages.

      Show
      When a confined user executes the tlog-rec command, it does not produce any failed messages.
    • Pass
    • Automated
    • Release Note Not Required
    • None

      What were you trying to do that didn't work?

      Trying to execute tlog-rec as a confined user, there is no AVC but the command is failing to spawn the command being recorded:

      [staff@vm-rhel8 ~]$ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023

[staff@vm-rhel8 ~]$ tlog-rec -o log.out echo hello
Locale charset is ANSI_X3.4-1968 (ASCII)
Assuming locale environment is lost and charset is UTF-8
Failed adding a utmp record
Success
Failed removing utmp record
Failed setting up the I/O tap

      There is no AVC because of a dontaudit rule:

      term_dontaudit_use_ptmx(utempter_t)

      This rule has to be removed from the policy and the proper rule be added, since it's required to let utempter_t write/read/getattr on the ptmx, by design:

      term_use_ptmx(utempter_t)

      Please provide the package NVR for which bug is seen:

      RHEL8, RHEL9 and Upstream policy.

      How reproducible:

      Always, see above.

              rhn-support-zpytela Zdenek Pytela
              rhn-support-rmetrich Renaud Métrich
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: