Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 233313 - LSPP: sysadm_r gets permission denied when using netlabelctl
Summary: LSPP: sysadm_r gets permission denied when using netlabelctl
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2007-03-21 15:43 UTC by Loulwa Salem
Modified: 2018-10-19 22:43 UTC (History)
3 users (show)

Fixed In Version: RHBA-2007-0544
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-11-07 16:38:39 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0544 normal SHIPPED_LIVE selinux-policy bug fix update 2007-11-08 14:16:49 UTC

Description Loulwa Salem 2007-03-21 15:43:29 UTC
Description of problem:
when sysadm_r tries to execute any netlabelctl command it gets a permission 

Version-Release number of selected component (if applicable):
I am running the lspp.69 and the latest policy-45 and openssh-20 (basically 
system is up to date from Steve's repo)

How reproducible:

Steps to Reproduce:
1 - ssh into system with your admin user as sysadm role
    ssh -l ealuser/sysadm_r/s0-s15:c0.c1023 localhost
2 - switch to root
    /bin/su -
3 - execute any netlabel command
    netlabelctl cipsov4 add pass doi:1 tags:1   

Actual results:
[root/sysadm_r/SystemLow ~]# netlabelctl cipsov4 add pass doi:1 tags:1
-bash: /sbin/netlabelctl: Permission denied

Expected results:
command pass and I see appropriate audit record in log (CIPSO_ADD in this case)

Additional info:
Sample steps output:
[root/abat_r/SystemLow /]# ssh -l ealuser/sysadm_r/s0-s15:c0.c1023 localhost
Last login: Tue Mar 20 12:31:23 2007 from localhost.localdomain
[ealuser/sysadm_r/SystemLow ~]$ /bin/su -
[root/sysadm_r/SystemLow ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6
(disk),10(wheel) context=ealuser_u:sysadm_r:sysadm_t:SystemLow-SystemHigh
[root/sysadm_r/SystemLow ~]# netlabelctl cipsov4 add pass doi:1 tags:1
-bash: /sbin/netlabelctl: Permission denied 

---- netlabel related records (the only 2 records I see when I get perm denied)
type=SELINUX_ERR msg=audit(1174412941.179:771): security_compute_sid:  invalid 
context ealuser_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 for 
tcontext=system_u:object_r:netlabel_mgmt_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1174412941.179:771): arch=14 syscall=11 success=no 
exit=-13 a0=10121d98 a1=1011edd0 a2=1011ee58 a3=0 items=0 ppid=3090 pid=3123 
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 
comm="bash" exe="/bin/bash" subj=ealuser_u:sysadm_r:sysadm_t:s0-s15:c0.c1023 

Comment 1 Daniel Walsh 2007-03-22 20:24:06 UTC
Fixed in selinux-policy-2.4.6-47

Comment 2 RHEL Product and Program Management 2007-03-22 20:43:13 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 3 Loulwa Salem 2007-03-23 15:29:55 UTC
Thanks for the fix, I'll try it out, but will you please point me to where I 
can get the -47 policy. 
It is not on Dan's people page or Steve's lspp repo

Comment 5 Joy Latten 2007-03-26 21:58:56 UTC
Looks like the same thing is happening when I try to start racoon for labeled
ipsec. I have not seen this before. I was running version 38 policy and updated
to version 45.

type=SELINUX_ERR msg=audit(1174945035.957:573): security_compute_sid:  invalid
context staff_u:system_r:racoon_t:s0-s15:c0.c1023 for
tcontext=system_u:object_r:racoon_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1174945035.957:573): arch=14 syscall=11 success=no
exit=-13 a0=100fccc8 a1=100f7000 a2=100f7d58 a3=0 items=0 ppid=16978 pid=17013
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4
comm="bash" exe="/bin/bash" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023

Comment 6 Joy Latten 2007-03-26 22:02:19 UTC
Forgot to add that I ssh in as ssh -l ealuser/sysadm_r/s0-s15:c0.c1023
and then do a /bin/su - 

semanage login -l 
Login Name                SELinux User              MLS/MCS Range

__default__               user_u                    SystemLow
abat                      abat_u                    SystemLow-SystemHigh
abatroot                  abat_u                    SystemLow
ealuser                   staff_u                   SystemLow-SystemHigh
root                      root                      SystemLow-SystemHigh
system_u                  system_u                  SystemLow-SystemHigh
testuser                  testuser_u                SystemLow-SystemHigh

semanage user -l 
                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

abat_u          abat       SystemLow  SystemLow-SystemHigh           abat_r
root            sysadm     SystemLow  SystemLow-SystemHigh           system_r
sysadm_r staff_r secadm_r auditadm_r
staff_u         staff      SystemLow  SystemLow-SystemHigh           sysadm_r
staff_r secadm_r auditadm_r
sysadm_u        sysadm     SystemLow  SystemLow-SystemHigh           sysadm_r
system_u        user       SystemLow  SystemLow-SystemHigh           system_r
testuser_u      user       SystemLow  SystemLow-SystemHigh           user_r
user_u          user       SystemLow  SystemLow                      user_r

Comment 7 Loulwa Salem 2007-03-26 22:46:57 UTC
Per talk today on lspp call, I reinstalled the -47 policy (with the --force in
permissive to make sure changes get applied smoothly) .. then relabeled and
rebooted the system in enforcing. I still get permission denied when trying
netlabelctl and see the same problem originally described in this bugzilla.

[root/abat_r/SystemLow@joy-hv4 ~]# ssh -l ealuser/sysadm_r/s0-s15:c0.c1023 localhost
Last login: Mon Mar 26 13:38:51 2007 from localhost.localdomain
[ealuser/sysadm_r/SystemLow@joy-hv4 ~]$ /bin/su -
[root/sysadm_r/SystemLow@joy-hv4 ~]# id
uid=0(root) gid=0(root)
[root/sysadm_r/SystemLow@joy-hv4 ~]# netlabelctl map list
-bash: /sbin/netlabelctl: Permission denied

in /var/log/audit/audit.log I see
type=SELINUX_ERR msg=audit(1174934456.088:431): security_compute_sid:  invalid
context staff_u:system_r:netlabel_mgmt_t:s0-s15:c0.c1023 for
tcontext=system_u:object_r:netlabel_mgmt_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1174934456.088:431): arch=14 syscall=11 success=no
exit=-13 a0=1011d0b0 a1=10115278 a2=1011f8a8 a3=0 items=0 ppid=2111 pid=2146
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
comm="bash" exe="/bin/bash" subj=staff_u:sysadm_r:sysadm_t:s0-s15:c0.c1023

Comment 8 Daniel Walsh 2007-03-27 14:34:38 UTC
Ok I am not sure why this is the case, but the problem is that system_r is not
in the list of roles available in staff_u or abat_u.  I believe if you add that
role everything will work.

I was running as a logged in user of root, and that works, because root has

From reading the policy I would have thought the netlibalctl would run as 
staff_u:sysadm_r:netlabel_mgmt_t but the policy seems to be trying to run it as

Comment 9 Daniel Walsh 2007-03-27 15:06:22 UTC
There is a bug in policy that defines 
rather then

This is causing the daemon to attempt to run as system_r, changing it to
init_system_domain causes it to work without adding system_r to staff_u.

I will update the policy and publish today,

Fixed in selinux-policy-2.4.6-48

Comment 10 Loulwa Salem 2007-03-27 15:32:16 UTC
regarding comment #8, I added system_r to the roles of staff_u and yes .. now 
I can execute netlabel fine :)

However, I no longer can see the output of the netlabel command, the audit 
record shows the command succeeded (I see a record), but I don't see output 
for example when I do a netlabelctl cipsov4 list. Keeping in mind that this is 
not on the console (the way Paul described in an email on the lspp mailing 
list previously), this occurs through an ssh session which used to show the 

I'll wait for the -48 policy and try the fix of changing daemon to system then 
I'll report on that.

Comment 11 Loulwa Salem 2007-03-27 16:25:13 UTC
just a small update, I was not able to see the output of netlabelctl when I 
was staff_u:sysadm_r (which is what I logged into to try the netlabelctl) once 
I exited and went back to my abat_r I am able to see the output.

Comment 12 Loulwa Salem 2007-03-27 19:51:17 UTC
I just tried the -49 policy and the permission denied problem is resolved.
The issue of not seeing the netlabelctl output as sysadm_r is also resolved ..

All looks great so far .. thanks

Comment 13 Joy Latten 2007-03-28 16:03:53 UTC
This appears to be working for racoon with version 49 selinux policy.

Comment 17 errata-xmlrpc 2007-11-07 16:38:39 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.