Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Minor
Fix Version/s: rhel-10.0
Affects Version/s: rhel-10.0.beta
Component/s: selinux-policy
Labels:

Regression:
None
Severity:
None
Epic Link:
SELINUX-3594

Pool Team:

rhel-sst-security-selinux
Sub-System Group:

ssg_security

Story Points:
1
ACKs Check:

QE ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Products:

Red Hat Enterprise Linux
Sprint:
None

Acceptance Criteria:

Hide

Session recording works for confined users. The tlog-rec-session program executed by confined users does not trigger SELinux denials.

Show
Session recording works for confined users. The tlog-rec-session program executed by confined users does not trigger SELinux denials.
Preliminary Testing:
None
Test Coverage:

Automated

Release Note Type:
Unspecified Release Note Type - Unknown

Architecture:

Unspecified

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?

When users are mapped to staff_u or user_u and session recording is enabled then their login triggers error messages:

Permission denied
Failed creating lock file /var/run/tlog/session.210.lock
Assuming session was unlocked

ATTENTION! Your session is being recorded!

Failed adding a utmp record
Success
Failed removing utmp record
Failed setting up the I/O tap
No such file or directory
Failed removing lock file /var/run/tlog/session.210.lock
Ignoring non-existent lock file

Please provide the package NVR for which bug is seen:

tlog-14-2.el10.x86_64
selinux-policy-40.13.7-1.el10.noarch
selinux-policy-targeted-40.13.7-1.el10.noarch

How reproducible:

Very

Steps to reproduce

Enable session recording

==> /etc/sssd/conf.d/session-recording.conf <==
[session_recording]
scope = all

Restart sssd
Create a user mapped to staff_u
Log in as the user

Expected results

No error messages when logging in

Actual results

Messages printed when logging in:

Permission denied
Failed creating lock file /var/run/tlog/session.19.lock

AVC denial:

----
type=PROCTITLE msg=audit(08/28/2024 03:37:33.730:12498) : proctitle=tlog-rec-session -c id 
type=PATH msg=audit(08/28/2024 03:37:33.730:12498) : item=0 name=/var/run/tlog/ inode=1753 dev=00:1a mode=dir,755 ouid=tlog ogid=tlog rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/28/2024 03:37:33.730:12498) : cwd=/home/user29435 
type=SYSCALL msg=audit(08/28/2024 03:37:33.730:12498) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55e268b85320 a2=O_RDONLY|O_CREAT|O_EXCL a3=0x180 items=1 ppid=495246 pid=495247 auid=user29435 uid=user29435 gid=user29435 euid=tlog suid=tlog fsuid=tlog egid=tlog sgid=tlog fsgid=tlog tty=pts2 ses=209 comm=tlog-rec-sessio exe=/usr/bin/tlog-rec-session subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(08/28/2024 03:37:33.730:12498) : avc:  denied  { create } for  pid=495247 comm=tlog-rec-sessio name=session.209.lock scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:var_run_t:s0 tclass=file permissive=0 
----
type=PROCTITLE msg=audit(08/28/2024 03:37:36.228:12544) : proctitle=tlog-rec-session -c id 
type=PATH msg=audit(08/28/2024 03:37:36.228:12544) : item=0 name=/var/run/tlog/ inode=1753 dev=00:1a mode=dir,755 ouid=tlog ogid=tlog rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(08/28/2024 03:37:36.228:12544) : cwd=/home/user9854 
type=SYSCALL msg=audit(08/28/2024 03:37:36.228:12544) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55ec324cd320 a2=O_RDONLY|O_CREAT|O_EXCL a3=0x180 items=1 ppid=495471 pid=495472 auid=user9854 uid=user9854 gid=user9854 euid=tlog suid=tlog fsuid=tlog egid=tlog sgid=tlog fsgid=tlog tty=pts2 ses=210 comm=tlog-rec-sessio exe=/usr/bin/tlog-rec-session subj=user_u:user_r:user_t:s0 key=(null) 
type=AVC msg=audit(08/28/2024 03:37:36.228:12544) : avc:  denied  { create } for  pid=495472 comm=tlog-rec-sessio name=session.210.lock scontext=user_u:user_r:user_t:s0 tcontext=user_u:object_r:var_run_t:s0 tclass=file permissive=0 
----

clones

RHEL-47241 [rhel-9] tlog lock files can't be created by confined SELinux users

Planning

links to

TCMS Test Case 602265

Assignee:: Zdenek Pytela

Reporter:: Sam Morris

Developer:: Zdenek Pytela

QA Contact:: Milos Malik

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2024/08/28 8:09 AM

Updated:: 2024/10/23 2:58 PM

Details

Description

What were you trying to do that didn't work?

Please provide the package NVR for which bug is seen:

How reproducible:

Steps to reproduce

Expected results

Actual results

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates