[RHEL-31888] Confined user cannot list/edit a crontab via sudo [rhel-9]

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: rhel-9.5
Affects Version/s: rhel-9.4
Component/s: selinux-policy
Labels:
- confined-users

Fixed in Build:
selinux-policy-38.1.41-1.el9
Regression:
None
Severity:
Moderate
Epic Link:
SELINUX-3400

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Internal Target Milestone:
20
Story Points:
None
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
None

Acceptance Criteria:

Hide

Confined user (derived from staff_u) can successfully run `crontab -l` and `crontab -e` and `crontab -r` via `sudo -u`. No SELinnux denials should be triggered during the run.

Show
Confined user (derived from staff_u) can successfully run `crontab -l` and `crontab -e` and `crontab -r` via `sudo -u`. No SELinnux denials should be triggered during the run.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/130707
Test Coverage:

Automated

Release Note Type:
Bug Fix
Release Note Text:

Hide
.SELinux policy allows `staff_r` confined users to run `sudo crontab`

Previously, the SELinux policy did not contain rules to allow confined users to run the `sudo crontab` command. As a consequence, confined users in the `staff_r` role could not use `sudo crontab` to edit other users' `crontab` schedules. This update adds a rule to the policy, and as a result, `staff_r` users can use `sudo crontab` to edit other users' `crontab` schedules.

Show
.SELinux policy allows `staff_r` confined users to run `sudo crontab` Previously, the SELinux policy did not contain rules to allow confined users to run the `sudo crontab` command. As a consequence, confined users in the `staff_r` role could not use `sudo crontab` to edit other users' `crontab` schedules. This update adds a rule to the policy, and as a result, `staff_r` users can use `sudo crontab` to edit other users' `crontab` schedules.
Release Note Status:
Done

Experience:
Architecture:

All
Bugzilla Bug:
RHBZ: 2223288

PX Impact Score:
PX Priority Data:
PX Review Complete:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Description of problem:

There are multiple issues happening when a confined user to "staff_u" tries to edit the cron of another user through some sudo rule.

1. "sudo -u USER crontab -l" fails

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
$ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023

$ sudo -u <USER> crontab -l
'/var/spool/cron' is not a directory, bailing out.
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This happens because /var/spool/cron is not readable by staff_sudo_t, the context used when executing "crontab -l" because of the absence of transition to "crontab_t" due to using "sudo crontab" command.
Strace shows:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
4434 [staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023] 10:30:21.103895 execve("/bin/crontab" [system_u:object_r:crontab_exec_t:s0], ["crontab", "-l"] ...
[...]
4434 [staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023] 10:30:21.134230 stat("/var/spool/cron" [system_u:object_r:user_cron_spool_t:s0], 0x7ffc16aac270) = -1 EACCES (Permission denied)
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This is a bug, IMHO there should be the transition to crontab_t when executing the command, it should not execute as "staff_sudo_t" at all.

2. "sudo -u USER -i crontab -l" fails silently and produces AVCs

This happens when `Defaults use_pty` is used in the sudo configuration.

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
$ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023

$ sudo -u <USER> -i crontab -l
$
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

AVC:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=PROCTITLE msg=audit(07/17/2023 10:38:01.277:528) : proctitle=crontab -l
type=EXECVE msg=audit(07/17/2023 10:38:01.277:528) : argc=2 a0=crontab a1=-l
type=SYSCALL msg=audit(07/17/2023 10:38:01.277:528) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x561829ebdd40 a1=0x561829ea0cd0 a2=0x561829ebf400 a3=0x8 items=0 ppid=4553 pid=4554 auid=staff uid=USER gid=USER euid=root suid=root fsuid=root egid=USER sgid=USER fsgid=USER tty=(none) ses=13 comm=crontab exe=/usr/bin/crontab subj=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/17/2023 10:38:01.277:528) : avc: denied

{ read write } for pid=4554 comm=crontab path=/dev/pts/3 dev="devpts" ino=6 scontext=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:devpts_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(07/17/2023 10:38:01.277:528) : avc: denied { read write }

for pid=4554 comm=crontab path=/dev/pts/3 dev="devpts" ino=6 scontext=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:devpts_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(07/17/2023 10:38:01.277:528) : avc: denied

for pid=4554 comm=crontab path=/dev/pts/3 dev="devpts" ino=6 scontext=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:devpts_t:s0 tclass=chr_file permissive=0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Due to using "sudo -i", the transition to "crontab_t" happens when executing the command.
Unfortunately "crontab_t" cannot read/write on the pseudo tty allocated by sudo.

3. "sudo -u <USER> -i" then "crontab -e" fails silently after some timeout and produces AVCs

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
$ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023

$ sudo -u USER -i
$ crontab -e
<long delay then exits silently>
$
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

AVC:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=PROCTITLE msg=audit(07/17/2023 10:42:32.287:551) : proctitle=vim /tmp/crontab.wTBQAP
type=SYSCALL msg=audit(07/17/2023 10:42:32.287:551) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55a601568060 a2=O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW a3=0x180 items=0 ppid=4805 pid=4807 auid=staff uid=USER gid=USER euid=USER suid=USER fsuid=USER egid=USER sgid=USER fsgid=USER tty=(none) ses=13 comm=vim exe=/usr/bin/vim subj=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(07/17/2023 10:42:32.287:551) : avc: denied

{ write }

for pid=4807 comm=vim name=USER dev="dm-0" ino=16967532 scontext=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This happens when vim, executing as "crontab_t" and used as default editor for "crontab -e" tries to write its /home/USER/.viminfo file.
Due to not being able to read the user's home directory. This is NOT related to "use_pty".

Version-Release number of selected component (if applicable):
selinux-policy-38.1.33-1.el9.noarch
selinux-policy-targeted-38.1.33-1.el9.noarch

How reproducible:

Always

Steps to Reproduce:
1. Add "Defaults use_pty" to /etc/sudoers
2. Let a user mapped to "staff_u" sudo to the target user "USER"

cat /etc/sudoers.d/staff
staff ALL = (USER) NOPASSWD: ALL

3. Execute various scenarios above

Actual results:

Failures

Expected results:

No failures

clones

RHEL-1388 Confined user cannot list/edit a crontab through sudo'ing

Closed

is cloned by

RHEL-56349 Confined user cannot list/edit a crontab via sudo [rhel-10]

Release Pending

links to

RHBA-2024:130707 selinux-policy bug fix and enhancement update

TCMS Test Case 617165

Milos Malik created issue - 2024/04/05 9:56 AM

Milos Malik made changes - 2024/04/05 9:56 AM

Link

New: This issue clones ~~RHEL-1388~~ [ ~~RHEL-1388~~ ]

RHEL Jira bot made changes - 2024/04/05 9:56 AM

Status

Original: New [ 10016 ]

New: Planning [ 13521 ]

Milos Malik made changes - 2024/04/05 9:57 AM

Labels

Original: AutoVerified MigratedToJIRA Triaged

Milos Malik made changes - 2024/04/05 9:57 AM

Affects Version/s		New: rhel-9.4 [ 12407281 ]
Affects Version/s	Original: rhel-8.8.0 [ 12392170 ]

Milos Malik made changes - 2024/04/05 9:57 AM

Fixed in Build

Original: selinux-policy-3.14.3-137.el8

Milos Malik made changes - 2024/04/05 9:58 AM

ACKs Check	Original: QE ack,Dev ack [ 31163, 31165 ]	New: QE ack [ 31163 ]
Fix Version/s	Original: rhel-8.10 [ 12407280 ]
Internal Target Milestone	Original: 26 [ 27975 ]
Target end	Original: 2024/02/26

Milos Malik made changes - 2024/04/05 9:58 AM

Preliminary Testing

Original: Pass [ 34174 ]

Milos Malik made changes - 2024/04/05 9:58 AM

Errata Link

Original: https://errata.engineering.redhat.com/advisory/121335

Milos Malik made changes - 2024/04/05 10:00 AM

Remote Link

New: This issue links to "TCMS Test Case 617165 (Web Link)" [ 1602367 ]

Milos Malik made changes - 2024/04/05 10:05 AM

Description

Original: Description of problem:

There are multiple issues happening when a confined user to "staff_u" tries to edit the cron of another user through some sudo rule.

1. "sudo -u USER crontab -l" fails

  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  $ id -Z
  staff_u:staff_r:staff_t:s0-s0:c0.c1023

  $ sudo -u <USER> crontab -l
  '/var/spool/cron' is not a directory, bailing out.
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

  This happens because /var/spool/cron is not readable by staff_sudo_t, the context used when executing "crontab -l" because of the absence of transition to "crontab_t" due to using "sudo crontab" command.
  Strace shows:
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  4434 [staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023] 10:30:21.103895 execve("/bin/crontab" [system_u:object_r:crontab_exec_t:s0], ["crontab", "-l"] ...
  [...]
  4434 [staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023] 10:30:21.134230 stat("/var/spool/cron" [system_u:object_r:user_cron_spool_t:s0], 0x7ffc16aac270) = -1 EACCES (Permission denied)
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

  This is a bug, IMHO there should be the transition to crontab_t when executing the command, it should not execute as "staff_sudo_t" at all.

2. "sudo -u USER -i crontab -l" fails silently and produces AVCs

  This happens when `Defaults use_pty` is used in the sudo configuration.

  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  $ id -Z
  staff_u:staff_r:staff_t:s0-s0:c0.c1023

  $ sudo -u <USER> -i crontab -l
  $
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

  AVC:
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  type=PROCTITLE msg=audit(07/17/2023 10:38:01.277:528) : proctitle=crontab -l
  type=EXECVE msg=audit(07/17/2023 10:38:01.277:528) : argc=2 a0=crontab a1=-l
  type=SYSCALL msg=audit(07/17/2023 10:38:01.277:528) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x561829ebdd40 a1=0x561829ea0cd0 a2=0x561829ebf400 a3=0x8 items=0 ppid=4553 pid=4554 auid=staff uid=USER gid=USER euid=root suid=root fsuid=root egid=USER sgid=USER fsgid=USER tty=(none) ses=13 comm=crontab exe=/usr/bin/crontab subj=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 key=(null)
  type=AVC msg=audit(07/17/2023 10:38:01.277:528) : avc: denied { read write } for pid=4554 comm=crontab path=/dev/pts/3 dev="devpts" ino=6 scontext=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:devpts_t:s0 tclass=chr_file permissive=0
  type=AVC msg=audit(07/17/2023 10:38:01.277:528) : avc: denied { read write } for pid=4554 comm=crontab path=/dev/pts/3 dev="devpts" ino=6 scontext=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:devpts_t:s0 tclass=chr_file permissive=0
  type=AVC msg=audit(07/17/2023 10:38:01.277:528) : avc: denied { read write } for pid=4554 comm=crontab path=/dev/pts/3 dev="devpts" ino=6 scontext=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:devpts_t:s0 tclass=chr_file permissive=0
  type=AVC msg=audit(07/17/2023 10:38:01.277:528) : avc: denied { read write } for pid=4554 comm=crontab path=/dev/pts/3 dev="devpts" ino=6 scontext=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:devpts_t:s0 tclass=chr_file permissive=0
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

  Due to using "sudo -i", the transition to "crontab_t" happens when executing the command.
  Unfortunately "crontab_t" cannot read/write on the pseudo tty allocated by sudo.

3. "sudo -u <USER> -i" then "crontab -e" fails silently after some timeout and produces AVCs

  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  $ id -Z
  staff_u:staff_r:staff_t:s0-s0:c0.c1023

  $ sudo -u USER -i
  $ crontab -e
  <long delay then exits silently>
  $
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

  AVC:
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  type=PROCTITLE msg=audit(07/17/2023 10:42:32.287:551) : proctitle=vim /tmp/crontab.wTBQAP
  type=SYSCALL msg=audit(07/17/2023 10:42:32.287:551) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55a601568060 a2=O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW a3=0x180 items=0 ppid=4805 pid=4807 auid=staff uid=USER gid=USER euid=USER suid=USER fsuid=USER egid=USER sgid=USER fsgid=USER tty=(none) ses=13 comm=vim exe=/usr/bin/vim subj=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 key=(null)
  type=AVC msg=audit(07/17/2023 10:42:32.287:551) : avc: denied { write } for pid=4807 comm=vim name=USER dev="dm-0" ino=16967532 scontext=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

  This happens when vim, executing as "crontab_t" and used as default editor for "crontab -e" tries to write its /home/USER/.viminfo file.
  Due to not being able to read the user's home directory. This is NOT related to "use_pty".

Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-117.el8_8.2.noarch

How reproducible:

Always

Steps to Reproduce:
1. Add "Defaults use_pty" to /etc/sudoers
2. Let a user mapped to "staff_u" sudo to the target user "USER"

  # cat /etc/sudoers.d/staff
  staff ALL = (USER) NOPASSWD: ALL

3. Execute various scenarios above

Actual results:

Failures

Expected results:

No failures

New: Description of problem:

There are multiple issues happening when a confined user to "staff_u" tries to edit the cron of another user through some sudo rule.

1. "sudo -u USER crontab -l" fails

  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  $ id -Z
  staff_u:staff_r:staff_t:s0-s0:c0.c1023

  $ sudo -u <USER> crontab -l
  '/var/spool/cron' is not a directory, bailing out.
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

  This happens because /var/spool/cron is not readable by staff_sudo_t, the context used when executing "crontab -l" because of the absence of transition to "crontab_t" due to using "sudo crontab" command.
  Strace shows:
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  4434 [staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023] 10:30:21.103895 execve("/bin/crontab" [system_u:object_r:crontab_exec_t:s0], ["crontab", "-l"] ...
  [...]
  4434 [staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023] 10:30:21.134230 stat("/var/spool/cron" [system_u:object_r:user_cron_spool_t:s0], 0x7ffc16aac270) = -1 EACCES (Permission denied)
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

  This is a bug, IMHO there should be the transition to crontab_t when executing the command, it should not execute as "staff_sudo_t" at all.

2. "sudo -u USER -i crontab -l" fails silently and produces AVCs

  This happens when `Defaults use_pty` is used in the sudo configuration.

  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  $ id -Z
  staff_u:staff_r:staff_t:s0-s0:c0.c1023

  $ sudo -u <USER> -i crontab -l
  $
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

  AVC:
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  type=PROCTITLE msg=audit(07/17/2023 10:38:01.277:528) : proctitle=crontab -l
  type=EXECVE msg=audit(07/17/2023 10:38:01.277:528) : argc=2 a0=crontab a1=-l
  type=SYSCALL msg=audit(07/17/2023 10:38:01.277:528) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x561829ebdd40 a1=0x561829ea0cd0 a2=0x561829ebf400 a3=0x8 items=0 ppid=4553 pid=4554 auid=staff uid=USER gid=USER euid=root suid=root fsuid=root egid=USER sgid=USER fsgid=USER tty=(none) ses=13 comm=crontab exe=/usr/bin/crontab subj=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 key=(null)
  type=AVC msg=audit(07/17/2023 10:38:01.277:528) : avc: denied { read write } for pid=4554 comm=crontab path=/dev/pts/3 dev="devpts" ino=6 scontext=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:devpts_t:s0 tclass=chr_file permissive=0
  type=AVC msg=audit(07/17/2023 10:38:01.277:528) : avc: denied { read write } for pid=4554 comm=crontab path=/dev/pts/3 dev="devpts" ino=6 scontext=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:devpts_t:s0 tclass=chr_file permissive=0
  type=AVC msg=audit(07/17/2023 10:38:01.277:528) : avc: denied { read write } for pid=4554 comm=crontab path=/dev/pts/3 dev="devpts" ino=6 scontext=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:devpts_t:s0 tclass=chr_file permissive=0
  type=AVC msg=audit(07/17/2023 10:38:01.277:528) : avc: denied { read write } for pid=4554 comm=crontab path=/dev/pts/3 dev="devpts" ino=6 scontext=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:devpts_t:s0 tclass=chr_file permissive=0
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

  Due to using "sudo -i", the transition to "crontab_t" happens when executing the command.
  Unfortunately "crontab_t" cannot read/write on the pseudo tty allocated by sudo.

3. "sudo -u <USER> -i" then "crontab -e" fails silently after some timeout and produces AVCs

  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  $ id -Z
  staff_u:staff_r:staff_t:s0-s0:c0.c1023

  $ sudo -u USER -i
  $ crontab -e
  <long delay then exits silently>
  $
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

  AVC:
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  type=PROCTITLE msg=audit(07/17/2023 10:42:32.287:551) : proctitle=vim /tmp/crontab.wTBQAP
  type=SYSCALL msg=audit(07/17/2023 10:42:32.287:551) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55a601568060 a2=O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW a3=0x180 items=0 ppid=4805 pid=4807 auid=staff uid=USER gid=USER euid=USER suid=USER fsuid=USER egid=USER sgid=USER fsgid=USER tty=(none) ses=13 comm=vim exe=/usr/bin/vim subj=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 key=(null)
  type=AVC msg=audit(07/17/2023 10:42:32.287:551) : avc: denied { write } for pid=4807 comm=vim name=USER dev="dm-0" ino=16967532 scontext=staff_u:staff_r:crontab_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

  This happens when vim, executing as "crontab_t" and used as default editor for "crontab -e" tries to write its /home/USER/.viminfo file.
  Due to not being able to read the user's home directory. This is NOT related to "use_pty".

Version-Release number of selected component (if applicable):
selinux-policy-38.1.33-1.el9.noarch
selinux-policy-targeted-38.1.33-1.el9.noarch

How reproducible:

Always

Steps to Reproduce:
1. Add "Defaults use_pty" to /etc/sudoers
2. Let a user mapped to "staff_u" sudo to the target user "USER"

  # cat /etc/sudoers.d/staff
  staff ALL = (USER) NOPASSWD: ALL

3. Execute various scenarios above

Actual results:

Failures

Expected results:

No failures

Zdenek Pytela made changes - 2024/04/05 7:19 PM

Fix Version/s		New: rhel-9.5 [ 12414808 ]
Internal Target Milestone		New: 10 [ 27959 ]

Watson Automation made changes - 2024/04/05 7:19 PM

Target end

New: 2024/05/06

Raju Anumula made changes - 2024/04/23 8:59 AM

Workflow

Original: RHEL in Jira [ 25253855 ]

New: Copy 3 of RHEL in Jira [ 25389983 ]

Raju Anumula made changes - 2024/04/23 9:08 AM

Workflow

Original: Copy 3 of RHEL in Jira [ 25389983 ]

New: RHEL in Jira [ 25416376 ]

Jan Fiala made changes - 2024/05/03 10:33 AM

Doc Contact

New: Jan Fiala [ jafiala ]

Zdenek Pytela made changes - 2024/05/06 3:55 PM

Internal Target Milestone

Original: 10 [ 27959 ]

New: 11 [ 27960 ]

Watson Automation made changes - 2024/05/06 3:55 PM

Target end

Original: 2024/05/06

New: 2024/05/13

Zdenek Pytela made changes - 2024/05/07 3:50 PM

Epic Link

New: SELINUX-3400 [ 15853388 ]

Zdenek Pytela made changes - 2024/05/07 8:11 PM

Status

Original: Planning [ 13521 ]

New: In Progress [ 10018 ]

Zdenek Pytela made changes - 2024/05/07 11:20 PM

Status

Original: In Progress [ 10018 ]

New: Integration [ 18721 ]

OSCI Bot made changes - 2024/05/07 11:34 PM

Fixed in Build

New: selinux-policy-38.1.37-1.el9

Milos Malik made changes - 2024/05/09 7:28 AM

Preliminary Testing

New: Pass [ 34174 ]

Errata Tool made changes - 2024/05/09 10:13 AM

Errata Link

New: https://errata.engineering.redhat.com/advisory/130707

Errata Tool made changes - 2024/05/09 10:13 AM

Remote Link

New: This issue links to "~~RHBA-2024~~:130707 (Web Link)" [ 1633595 ]

Jan Fiala made changes - 2024/05/14 8:29 AM

Release Note Text

Original: Cause (the user action or circumstances that trigger the bug):
policy does not contain rules to allow confined users run sudo crontab
Consequence (what the user experience is when the bug occurs):
confined user in the staff_r role cannot use sudo crontab to edit other users crontabs
Fix (what has changed to fix the bug; do not include overly technical details):
a rule was added to the policy
Result (what happens now that the patch is applied):
confined user in the staff_r role can use sudo crontab to edit other users crontabs

New: .SELinux policy allows `staff_r` confined users to run `sudo crontab`

Previously, the SELinux policy did not contain rules to allow confined users to run the `sudo crontab` command. As a consequence, confined users in the `staff_r` role could not use `sudo crontab` to edit other users' `crontab` schedules. This update adds a rule to the policy, and as a result, `staff_r` users can use `sudo crontab` to edit other users' `crontab` schedules.

Jan Fiala made changes - 2024/05/14 8:30 AM

Release Note Status

Original: Proposed [ 30959 ]

New: Done [ 30963 ]

Milos Malik made changes - 2024/05/16 2:13 PM

Internal Target Milestone

Original: 11 [ 27960 ]

New: 12 [ 27961 ]

Watson Automation made changes - 2024/05/16 2:13 PM

Target end

Original: 2024/05/13

New: 2024/05/20

Milos Malik made changes - 2024/05/27 11:47 AM

Internal Target Milestone

Original: 12 [ 27961 ]

New: 14 [ 27963 ]

Watson Automation made changes - 2024/05/27 11:47 AM

Target end

Original: 2024/05/20

New: 2024/06/03

Milos Malik made changes - 2024/06/03 12:44 PM

Internal Target Milestone

Original: 14 [ 27963 ]

New: 15 [ 27964 ]

Watson Automation made changes - 2024/06/03 12:44 PM

Target end

Original: 2024/06/03

New: 2024/06/10

Milos Malik made changes - 2024/06/10 9:14 AM

Internal Target Milestone

Original: 15 [ 27964 ]

New: 16 [ 27965 ]

Watson Automation made changes - 2024/06/10 9:14 AM

Target end

Original: 2024/06/10

New: 2024/06/17

Milos Malik made changes - 2024/06/17 6:10 AM

Internal Target Milestone

Original: 16 [ 27965 ]

New: 17 [ 27966 ]

Watson Automation made changes - 2024/06/17 6:11 AM

Target end

Original: 2024/06/17

New: 2024/06/24

Milos Malik made changes - 2024/06/17 1:34 PM

Test Coverage

Original: Yes [ 31555 ]

New: Automated [ 38950 ]

Zdenek Pytela made changes - 2024/06/18 8:10 PM

Internal Target Milestone

Original: 17 [ 27966 ]

New: 19 [ 27968 ]

Watson Automation made changes - 2024/06/18 8:10 PM

Target end

Original: 2024/06/24

New: 2024/07/08

Juraj Marcin made changes - 2024/07/01 7:56 AM

Assignee

Original: Juraj Marcin [ rh-ee-jmarcin ]

New: Zdenek Pytela [ rhn-support-zpytela ]

Milos Malik made changes - 2024/07/08 7:36 AM

Internal Target Milestone

Original: 19 [ 27968 ]

New: 20 [ 27969 ]

Watson Automation made changes - 2024/07/08 7:36 AM

Target end

Original: 2024/07/08

New: 2024/07/15

OSCI Bot made changes - 2024/07/08 12:52 PM

Fixed in Build

Original: selinux-policy-38.1.37-1.el9

New: | selinux-policy-38.1.41-1.el9

Milos Malik made changes - 2024/07/08 1:32 PM

Fixed in Build

Original: | selinux-policy-38.1.41-1.el9

New: selinux-policy-38.1.41-1.el9

Milos Malik made changes - 2024/07/11 7:55 AM

Status

Original: Integration [ 18721 ]

New: Release Pending [ 15735 ]

Zdenek Pytela made changes - 2024/07/12 6:41 PM

Labels

New: confined-users

Milos Malik made changes - 2024/08/28 8:38 AM

Link

New: This issue is cloned by RHEL-56349 [ RHEL-56349 ]

Jenny Severance made changes - 2024/09/06 12:26 PM

Severity

Original: Normal [ 15655 ]

New: <img alt="" src="/images/icons/priorities/medium.svg" width="16" height="16"> Medium [ 40352 ]

Allison King made changes - 2024/09/23 4:36 PM

Severity

Original: Medium [ 40352 ]

New: Moderate [ 26752 ]

Errata Tool made changes - 2024/11/12 9:38 AM

Release Date

New: 2024/11/12

Errata Tool made changes - 2024/11/12 9:38 AM

Resolution		New: Done-Errata [ 10803 ]
Status	Original: Release Pending [ 15735 ]	New: Closed [ 6 ]

Assignee:: Zdenek Pytela

Reporter:: Renaud Métrich

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Doc Contact:: Jan Fiala

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2024/04/05 9:56 AM

Updated:: 2024/11/12 9:38 AM

Resolved:: 2024/11/12 9:38 AM

Target end:: 2024/07/15

Release Date:: 2024/11/12

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates