Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-57604

Confined sysadm cannot execute "sudo tcpdump" command [rhel-10]

XMLWordPrintable

    • None
    • Moderate
    • 1
    • rhel-sst-security-selinux
    • ssg_security
    • 11
    • 1
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • SELINUX 241016 - 241106
    • Hide

      System administrator that is confined by SELinux (sysadm_u) can successfully run the tcpdump command via sudo. No SELinux denials are triggered during the run.

      Show
      System administrator that is confined by SELinux (sysadm_u) can successfully run the tcpdump command via sudo. No SELinux denials are triggered during the run.
    • None
    • Automated
    • Bug Fix
    • Hide
      .SELinux policy contains rules for additional services and applications

      This version of the `selinux-policy` package contains additional rules. Most notably, users in the `sysadm_r` role can execute the following commands:

      * `sudo traceroute` (RHEL-14077)
      * `sudo tcpdump` (RHEL-15432)
      Show
      .SELinux policy contains rules for additional services and applications This version of the `selinux-policy` package contains additional rules. Most notably, users in the `sysadm_r` role can execute the following commands: * `sudo traceroute` (RHEL-14077) * `sudo tcpdump` ( RHEL-15432 )
    • Proposed
    • None

      What were you trying to do that didn't work?

      Users mapped to sysadm_u cannot execute `sudo tcpdump` command because `tcpdump` executes in `sysadm_sudo_t` context due to missing rule to transition.

      Please provide the package NVR for which bug is seen:

      selinux-policy-40.13.9-1.el10.noarch
      selinux-policy-devel-40.13.9-1.el10.noarch
      selinux-policy-targeted-40.13.9-1.el10.noarch
      tcpdump-4.99.4-9.el10.x86_64

      How reproducible:

      Always

      Steps to reproduce

      1. Execute `sudo tcpdump` from a confined user mapped to `sysadm_u`

      Expected results

      • tcpdump produces an output
      • no SELinux denials appear

      Actual results

      • tcpdump produces no output
      • SELinux denials appear

              rhn-support-zpytela Zdenek Pytela
              rhn-support-rmetrich Renaud Métrich
              Nikola Kňažeková Nikola Kňažeková (Inactive)
              Milos Malik Milos Malik
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: