-
Bug
-
Resolution: Done-Errata
-
Undefined
-
rhel-9.3.0
-
selinux-policy-38.1.32-1.el9
-
None
-
None
-
sst_security_selinux
-
ssg_security
-
26
-
None
-
False
-
-
Yes
-
None
-
Pass
-
Automated
-
Bug Fix
-
-
Done
-
-
All
-
None
This bug was initially created as a copy of Bug #2053004
I am copying this bug because:
Description of problem:
The "unconfined_login" boolean is supposed to "allow users to login as an unconfined domain" (i.e. "unconfined_t").
Turning OFF this boolean doesn't seem to have any effect, at least on sshd:
a user mapped to unconfined_u can still log in:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
$ ssh unconfined@vm-confined8
[unconfined@vm-confined8 ~]$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
The policy shows the following rules being added when "unconfined_login" is enabled:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
- sesearch -A -b unconfined_login
allow unconfined_login_domain bin_t:dir { getattr ioctl lock open read search }; [ unconfined_login ]:True
{ getattr open search }; [ unconfined_login ]:True
allow unconfined_login_domain bin_t:dir
allow unconfined_login_domain bin_t:dir { getattr open search }; [ unconfined_login ]:True
{ getattr read }
allow unconfined_login_domain bin_t:lnk_file; [ unconfined_login ]:True
{ execute execute_no_trans getattr ioctl map open read }; [ unconfined_login ]:True
allow unconfined_login_domain shell_exec_t:file
allow unconfined_login_domain unconfined_t:process transition; [ unconfined_login ]:True
allow unconfined_t unconfined_login_domain:fd use; [ unconfined_login ]:True
allow unconfined_t unconfined_login_domain:fifo_file { append getattr ioctl lock open read write }; [ unconfined_login ]:True
allow unconfined_t unconfined_login_domain:process sigchld; [ unconfined_login ]:True
# seinfo -a unconfined_login_domain -x
Type Attributes: 1
attribute unconfined_login_domain;
chroot_user_t
crond_t
local_login_t
remote_login_t
rshd_t
sshd_t
sulogin_t
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
From above, I'd expect when boolean is off, that shell services (e.g. sshd) cannot spawn a shell but ... there is an unconditional rule in the policy as well for sshd:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# sesearch -A -s sshd_t -t shell_exec_t
[...]
allow sshd_t shell_exec_t:file { execute execute_no_trans getattr ioctl map open read };
{ execute execute_no_trans getattr ioctl map open read }; [ ssh_sysadm_login ]:True
allow sshd_t shell_exec_t:file
allow unconfined_login_domain shell_exec_t:file { execute execute_no_trans getattr ioctl map open read }; [ unconfined_login ]:True
-
-
-
-
-
-
- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
-
-
-
-
-
-
Stracing sshd with "--secontext" option shows the context change for the sshd user happens without issue:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
39754 [sshd_t] 13:13:41.865154 write(12</proc/39754/task/39754/attr/current> [sshd_t], "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\0", 54) = 54 <0.000142>
39754 [unconfined_t] 13:13:41.865324 close(12</proc/39754/task/39754/attr/current> [unconfined_t]) = 0 <0.000004>
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
What's wrong?
Version-Release number of selected component (if applicable):
selinux-policy-38.1.17-1.el9
How reproducible:
Always
Steps to Reproduce:
1. Map a user to "unconfined_u"
- useradd -Z unconfined_u unconfined
- echo "pass" | passwd --stdin unconfined
2. Disable the boolean
- semanage boolean --modify --off unconfined_domain
3. Try ssh'ing
- ssh unconfined@localhost
Actual results:
Works
Expected results:
Doesn't work
Additional Information:
See the following phase in TC#105816 (/CoreOS/selinux-policy/Regression/sshd-general):
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: unconfined_login boolean doesn't seem to have any effect on users, bz#2053004
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [ 04:36:41 ] :: [ BEGIN ] :: Running 'semanage boolean -m --off unconfined_login'
:: [ 04:36:43 ] :: [ PASS ] :: Command 'semanage boolean -m --off unconfined_login' (Expected 0, got 0)
:: [ 04:36:43 ] :: [ BEGIN ] :: Running 'useradd -Z unconfined_u user23156'
:: [ 04:36:44 ] :: [ PASS ] :: Command 'useradd -Z unconfined_u user23156' (Expected 0, got 0)
:: [ 04:36:44 ] :: [ BEGIN ] :: Running 'echo s3kr3T2527 | passwd --stdin user23156'
:: [ 04:36:45 ] :: [ PASS ] :: Command 'echo s3kr3T2527 | passwd --stdin user23156' (Expected 0, got 0)
:: [ 04:36:45 ] :: [ BEGIN ] :: User login expected to fail. :: actually running './ssh.exp user23156 s3kr3T2527 localhost id -Z'
spawn ssh -t user23156@localhost id -Z
user23156@localhost's password:
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Connection to localhost closed.
:: [ 04:36:45 ] :: [ FAIL ] :: User login expected to fail. (Expected 1-255, got 0)
:: [ 04:36:45 ] :: [ BEGIN ] :: Running 'userdel -rf user23156'
userdel: user user23156 is currently used by process 51894
:: [ 04:36:45 ] :: [ PASS ] :: Command 'userdel -rf user23156' (Expected 0, got 0)
:: [ 04:36:45 ] :: [ BEGIN ] :: Running 'semanage boolean -m --on unconfined_login'
libsemanage.add_user: user user23156 not in password file
:: [ 04:36:47 ] :: [ PASS ] :: Command 'semanage boolean -m --on unconfined_login' (Expected 0, got 0)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: Duration: 6s
:: Assertions: 5 good, 1 bad
:: RESULT: FAIL (unconfined_login boolean doesn't seem to have any effect on users, bz#2053004)
- external trackers
- links to
-
RHBA-2023:121166
selinux-policy bug fix and enhancement update
- mentioned on
