-
Bug
-
Resolution: Won't Do
-
Major
-
rhel-8.5.0
+++ This bug was initially created as a clone of Bug #1947841 +++
I am copying this bug because the customer reports the issue is partially fixed.
Description of problem:
Secure_mode boolean should prevent confined users from transitioning to sysadm domain or switch to the root user (switch to privileged role).
Description of the secure_mode boolean:
if secure mode is enabled, then newrole can only transition to unprivileged users
But between unprivileged users is also declared unconfined user:
$ id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023
$ cat /etc/redhat-release
Red Hat Enterprise Linux release 8.4 (Ootpa)
$ rpm -q selinux-policy
selinux-policy-3.14.3-80.el8.noarch
$ getsebool secure_mode
secure_mode --> on
-
- Test 1 --> OK
newrole -r unconfined_r
Password:
failed to exec shell
: Permission denied
- Test 1 --> OK
-
- Test 2: --> NOT OK
sudo -r unconfined_r -i
[sudo] password for winfried@blabla.bla:
[root@rhel8 ~]# id -Z
staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
- Test 2: --> NOT OK
-
- Test 3: --> NOT OK:
ssh winfried/unconfined_r@localhost
Password:
~
$ id -Z
staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
- Test 3: --> NOT OK:
$ seinfo - xaunpriv_userdomain
Type Attributes : 1
attribute unpri v_user domain ;
guest_t
staff_t
staff_wine_t
unconfined_t
user_t
user_wine_t
xguest_t
When secure_mode boolean is enabled, user staff_u cannot switch to sysadm domain, but they can switch to unconfined domain, and do privileged(admin) operations.
This transition operation should NOT be allowed when secure_mode boolean is enabled:
staff_u:staff_r staff_u:unconfined_r
Version-Release number of selected component (if applicable):
selinux-policy-3.14.5-31.fc32.noarch
How reproducible:
Always
Steps to Reproduce:
1. Enable secure_mode boolean
2. Login as SELinux user staff_u
3. Switch with newrole to unconfined_r
Actual results:
SELinux user staff can switch to unconfined domain
Expected results:
SELinux user staff cannot switch to unconfined domain
Additional info:
Proposed fix: remove unconfined_t from unpriv_user_domain.
- external trackers