Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1460

Secure_mode boolean allows staff SELinux user switch to unconfined

XMLWordPrintable

    • Normal
    • sst_security_selinux
    • ssg_security
    • False
    • Hide

      None

      Show
      None
    • If docs needed, set a value

      +++ This bug was initially created as a clone of Bug #1947841 +++

      I am copying this bug because the customer reports the issue is partially fixed.

      Description of problem:
      Secure_mode boolean should prevent confined users from transitioning to sysadm domain or switch to the root user (switch to privileged role).

      Description of the secure_mode boolean:
      if secure mode is enabled, then newrole can only transition to unprivileged users

      But between unprivileged users is also declared unconfined user:

      $ id -Z
      staff_u:staff_r:staff_t:s0-s0:c0.c1023

      $ cat /etc/redhat-release
      Red Hat Enterprise Linux release 8.4 (Ootpa)

      $ rpm -q selinux-policy
      selinux-policy-3.14.3-80.el8.noarch

      $ getsebool secure_mode
      secure_mode --> on

        1. Test 1 --> OK
          newrole -r unconfined_r
          Password:
          failed to exec shell
          : Permission denied
        1. Test 2: --> NOT OK
          sudo -r unconfined_r -i
          [sudo] password for winfried@blabla.bla:
          [root@rhel8 ~]# id -Z
          staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
        1. Test 3: --> NOT OK:
          ssh winfried/unconfined_r@localhost
          Password:
          ~
          $ id -Z
          staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

      $ seinfo - xaunpriv_userdomain

      Type Attributes : 1
      attribute unpri v_user domain ;
      guest_t
      staff_t
      staff_wine_t
      unconfined_t
      user_t
      user_wine_t
      xguest_t

      When secure_mode boolean is enabled, user staff_u cannot switch to sysadm domain, but they can switch to unconfined domain, and do privileged(admin) operations.

      This transition operation should NOT be allowed when secure_mode boolean is enabled:
      staff_u:staff_r staff_u:unconfined_r

      Version-Release number of selected component (if applicable):
      selinux-policy-3.14.5-31.fc32.noarch

      How reproducible:

      Always

      Steps to Reproduce:
      1. Enable secure_mode boolean
      2. Login as SELinux user staff_u
      3. Switch with newrole to unconfined_r

      Actual results:
      SELinux user staff can switch to unconfined domain

      Expected results:
      SELinux user staff cannot switch to unconfined domain

      Additional info:
      Proposed fix: remove unconfined_t from unpriv_user_domain.

            rhn-support-zpytela Zdenek Pytela
            rhn-support-amkulkar Amogh Kulkarni
            Zdenek Pytela Zdenek Pytela
            Milos Malik Milos Malik
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: