Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-47241

[rhel-9] tlog lock files can't be created by confined SELinux users

XMLWordPrintable

    • rhel-sst-security-selinux
    • ssg_security
    • 1
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • None
    • Hide

      Session recording works for confined users. The tlog-rec-session program executed by confined users does not trigger SELinux denials.

      Show
      Session recording works for confined users. The tlog-rec-session program executed by confined users does not trigger SELinux denials.
    • None
    • Automated
    • Unspecified Release Note Type - Unknown
    • Unspecified
    • None

      What were you trying to do that didn't work?

      My user is mapped to staff_u. I have session recording enabled. When I log in to the system I see:

      Permission denied
Failed creating lock file /var/run/tlog/session.19.lock

      Please provide the package NVR for which bug is seen:

      selinux-policy-38.1.40-1.el9.noarch
      selinux-policy-targeted-38.1.40-1.el9.noarch
      tlog-14-1.el9.x86_64

      How reproducible:

      Very

      Steps to reproduce

      1. Enable session recording 
        ==> /etc/sssd/conf.d/session-recording.conf <==
[session_recording]
scope = all
      2. Restart sssd
      3. Create a user mapped to staff_u
      4. Log in as the user

      Expected results

      No error messages when logging in

      Actual results

      Messages printed when logging in:

      Permission denied
Failed creating lock file /var/run/tlog/session.19.lock

      AVC denial:

      ----
type=PROCTITLE msg=audit(04/07/24 10:14:49.421:4531) : proctitle=-tlog-rec-session 
type=SYSCALL msg=audit(04/07/24 10:14:49.421:4531) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x5607c9989f70 a2=O_RDONLY|O_CREAT|O_EXCL a3=0x180 items=0 ppid=598207 pid=598208 auid=sam uid=sam gid=sam euid=tlog suid=tlog fsuid=tlog egid=tlog sgid=tlog fsgid=tlog tty=pts4 ses=19 comm=tlog-rec-sessio exe=/usr/bin/tlog-rec-session subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(04/07/24 10:14:49.421:4531) : avc:  denied  { create } for  pid=598208 comm=tlog-rec-sessio name=session.19.lock scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:var_run_t:s0 tclass=file permissive=0
----

              rhn-support-zpytela Zdenek Pytela
              staticyrro7 Sam Morris
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: