Skip to content

Selinux blocks sudo command issued by systemd service unit #504

New issue
New issue
Open
Open
Selinux blocks sudo command issued by systemd service unit#504
@Pyr0Texn1c

Description

@Pyr0Texn1c
Pyr0Texn1c
opened on Jan 23, 2026

I set up Redis 8.4 replication with sentinel and service registration with Hashicorp Consul on Oracle EL10.1 server stack. In order to reregister redis service with consul after failover I needed to reload consul service, what can be done with redis sentinel client-reconfig-script option. Here's the simple script:

#!/bin/bash
sudo systemctl reload consul.service

that option was added in sudoers:

Cmnd_Alias CONSUL_SERVICE = /usr/bin/systemctl reload consul.service
redis ALL=NOPASSWD: CONSUL_SERVICE

after testing this configuration with selinux in enforcing mode I've ended with selinux policy:

module my-redisserver 1.0;

require {
    type redis_conf_t;
    type redis_t;
    type sudo_exec_t;
    type system_dbusd_t;
    type system_dbusd_var_run_t;
    type systemd_systemctl_exec_t;
    type systemd_logind_t;
    type systemd_unit_file_t;
    type chkpwd_exec_t;
    type shadow_t;
    type init_t;
    class lnk_file read;
    class sock_file write;
    class dbus send_msg;
    class service { reload status };
    class capability { audit_write setgid setuid sys_resource dac_read_search };
    class netlink_audit_socket { create nlmsg_relay };
    class file { execute execute_no_trans getattr map open read };
    }

#============= redis_t ==============
allow redis_t redis_conf_t:lnk_file read;
allow redis_t redis_conf_t:file { execute execute_no_trans };
allow redis_t sudo_exec_t:file { execute execute_no_trans getattr open read };
allow redis_t self:capability { audit_write setgid setuid sys_resource dac_read_search };
allow redis_t self:netlink_audit_socket { create nlmsg_relay };
allow redis_t system_dbusd_var_run_t:sock_file write;
allow redis_t systemd_systemctl_exec_t:file { execute execute_no_trans getattr map open read };
allow redis_t sudo_exec_t:file map;
allow redis_t chkpwd_exec_t:file { execute execute_no_trans map open read };
allow redis_t shadow_t:file { getattr open read };
allow redis_t init_t:lnk_file read;
allow redis_t system_dbusd_t:dbus send_msg;
allow redis_t systemd_logind_t:dbus send_msg;
allow redis_t systemd_unit_file_t:service { reload status };

and systemd unit file:

[Unit]
Description=Redis Sentinel
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
ExecStart=/usr/bin/redis-sentinel /etc/redis/sentinel.conf --daemonize no --supervised systemd
Type=notify
User=redis
Group=redis
RuntimeDirectory=redis
RuntimeDirectoryMode=0755

# If you need to change max open file limit
# for example, when you change maxclient in configuration
# you can change the LimitNOFILE value below.
# See "man systemd.exec" for more information.
LimitNOFILE=10240

# Slave nodes on large system may take lot of time to start.
# You may need to uncomment TimeoutStartSec and TimeoutStopSec
# directives below and raise their value.
# See "man systemd.service" for more information.
#TimeoutStartSec=90s
#TimeoutStopSec=90s

CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_SETGID CAP_SETUID CAP_DAC_READ_SEARCH
AmbientCapabilities=CAP_AUDIT_WRITE CAP_SETGID CAP_SETUID CAP_DAC_READ_SEARCH

[Install]
WantedBy=multi-user.target

but still selinux blocks the execution of sudo command (/var/log/messages):

Jan 23 11:04:56 dm-ux02 redis-sentinel[6668]: sudo: PAM account management error: Permission denied
Jan 23 11:04:56 dm-ux02 redis-sentinel[6668]: sudo: unable to send audit message: Permission denied
Jan 23 11:04:56 dm-ux02 redis-sentinel[6668]: sudo: a password is required

(var/log/secure):

Jan 23 11:04:56 dm-ux02 sudo[6668]: PAM audit_log_acct_message() failed: Permission denied
Jan 23 11:04:56 dm-ux02 sudo[6668]:   redis : PAM account management error: Permission denied ; PWD=/tmp ; USER=root ; COMMAND=/usr/bin/systemctl reload consul.service

the semanage permissive -a redis_t command does the trick (var/log/messages):

Jan 23 11:08:10 dm-ux02 systemd[1]: Started session-c6.scope - Session c6 of User root.
Jan 23 11:08:10 dm-ux02 systemd[1]: Reloading consul.service - "HashiCorp Consul - A service mesh solution"...
Jan 23 11:08:10 dm-ux02 systemd[1]: Reloaded consul.service - "HashiCorp Consul - A service mesh solution".
Jan 23 11:08:10 dm-ux02 systemd[1]: session-c6.scope: Deactivated successfully.

(var/log/secure):

Jan 23 11:08:10 dm-ux02 sudo[6704]:   redis : PWD=/tmp ; USER=root ; COMMAND=/usr/bin/systemctl reload consul.service
Jan 23 11:08:10 dm-ux02 sudo[6704]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=986)
Jan 23 11:08:10 dm-ux02 sudo[6704]: pam_unix(sudo:session): session closed for user root

but the most disappointing of all is that selinux audit.log doesn't contain any error or denied action entries:

type=DAEMON_ROTATE msg=audit(1769155343.269:9673): op=rotate-logs auid=0 uid=0 ses=4294967295 pid=6655 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 res=success�AUID="root" UID="root"
type=USER_MAC_POLICY_LOAD msg=audit(1769155416.691:283): pid=1135 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=load_policy lsm=selinux seqno=3 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'�UID="dbus" AUID="unset" SAUID="dbus"
type=SERVICE_STOP msg=audit(1769155593.979:284): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=redis comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'�UID="root" AUID="unset"
type=MAC_POLICY_LOAD msg=audit(1769155654.604:285): auid=0 ses=1 lsm=selinux res=1�AUID="root"
type=SYSCALL msg=audit(1769155654.604:285): arch=c000003e syscall=1 success=yes exit=3379288 a0=4 a1=7f548d4c6010 a2=339058 a3=0 items=0 ppid=6688 pid=6692 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="load_policy" exe="/usr/sbin/load_policy" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)�ARCH=x86_64 SYSCALL=write AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1769155654.604:285): proctitle="/sbin/load_policy"
type=USER_MAC_POLICY_LOAD msg=audit(1769155662.702:286): pid=1135 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  op=load_policy lsm=selinux seqno=4 res=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'�UID="dbus" AUID="unset" SAUID="dbus"
type=SERVICE_START msg=audit(1769155662.807:287): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=redis comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'�UID="root" AUID="unset"
type=USER_ACCT msg=audit(1769155690.376:288): pid=6704 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:accounting grantors=pam_unix acct="redis" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=USER_CMD msg=audit(1769155690.380:289): pid=6704 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='cwd="/tmp" cmd=73797374656D63746C2072656C6F616420636F6E73756C2E73657276696365 exe="/usr/bin/sudo" terminal=? res=success'�UID="redis" AUID="unset"
type=CRED_REFR msg=audit(1769155690.381:290): pid=6704 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=USER_START msg=audit(1769155690.427:291): pid=6704 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=USER_END msg=audit(1769155690.499:292): pid=6704 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=CRED_DISP msg=audit(1769155690.500:293): pid=6704 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=USER_ACCT msg=audit(1769155694.056:294): pid=6715 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:accounting grantors=pam_unix acct="redis" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=USER_CMD msg=audit(1769155694.060:295): pid=6715 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='cwd="/tmp" cmd=73797374656D63746C2072656C6F616420636F6E73756C2E73657276696365 exe="/usr/bin/sudo" terminal=? res=success'�UID="redis" AUID="unset"
type=CRED_REFR msg=audit(1769155694.061:296): pid=6715 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=USER_START msg=audit(1769155694.107:297): pid=6715 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=USER_END msg=audit(1769155694.173:298): pid=6715 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=CRED_DISP msg=audit(1769155694.173:299): pid=6715 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=SERVICE_START msg=audit(1769155696.128:300): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dnf-makecache comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'�UID="root" AUID="unset"
type=SERVICE_STOP msg=audit(1769155696.128:301): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dnf-makecache comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'�UID="root" AUID="unset"
type=USER_ACCT msg=audit(1769155707.085:302): pid=6742 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:accounting grantors=pam_unix acct="redis" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=USER_CMD msg=audit(1769155707.089:303): pid=6742 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='cwd="/tmp" cmd=73797374656D63746C2072656C6F616420636F6E73756C2E73657276696365 exe="/usr/bin/sudo" terminal=? res=success'�UID="redis" AUID="unset"
type=CRED_REFR msg=audit(1769155707.090:304): pid=6742 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=USER_START msg=audit(1769155707.145:305): pid=6742 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=USER_END msg=audit(1769155707.224:306): pid=6742 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"
type=CRED_DISP msg=audit(1769155707.225:307): pid=6742 uid=986 auid=4294967295 ses=4294967295 subj=system_u:system_r:redis_t:s0 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'�UID="redis" AUID="unset"

I'd like to complete the fine-grain configuration of selinux policy, so would appreciate any advice for further setup.
I've attached zip with all mentioned config and log files.

selinux_bug.zip

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions