Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1551

"unconfined_login" boolean doesn't seem to have any effect on users

    • selinux-policy-38.1.32-1.el9
    • sst_security_selinux
    • ssg_security
    • 26
    • None
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Bug Fix
    • Hide
      .SELinux policy denies SSH login for unconfined users when `unconfined_login` is set to `off`

      Previously, the SELinux policy was missing a rule to deny unconfined users to log in via SSH when the `unconfined_login` boolean was set to `off`. As a consequence, with `unconfined_login` set to `off`, users still could log in with SSHD to an unconfined domain. This update adds a rule to the SELinux policy, and as a result, users cannot log in via `sshd` as unconfined when `unconfined_login` is `off`.
      Show
      .SELinux policy denies SSH login for unconfined users when `unconfined_login` is set to `off` Previously, the SELinux policy was missing a rule to deny unconfined users to log in via SSH when the `unconfined_login` boolean was set to `off`. As a consequence, with `unconfined_login` set to `off`, users still could log in with SSHD to an unconfined domain. This update adds a rule to the SELinux policy, and as a result, users cannot log in via `sshd` as unconfined when `unconfined_login` is `off`.
    • Done
    • None

      This bug was initially created as a copy of Bug #2053004

      I am copying this bug because:

      Description of problem:

      The "unconfined_login" boolean is supposed to "allow users to login as an unconfined domain" (i.e. "unconfined_t").
      Turning OFF this boolean doesn't seem to have any effect, at least on sshd:

      a user mapped to unconfined_u can still log in:

      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
      $ ssh unconfined@vm-confined8

      [unconfined@vm-confined8 ~]$ id -Z
      unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      The policy shows the following rules being added when "unconfined_login" is enabled:
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      1. sesearch -A -b unconfined_login
        allow unconfined_login_domain bin_t:dir { getattr ioctl lock open read search }

        ; [ unconfined_login ]:True
        allow unconfined_login_domain bin_t:dir

        { getattr open search }; [ unconfined_login ]:True
        allow unconfined_login_domain bin_t:dir { getattr open search }

        ; [ unconfined_login ]:True
        allow unconfined_login_domain bin_t:lnk_file

        { getattr read }

        ; [ unconfined_login ]:True
        allow unconfined_login_domain shell_exec_t:file

        { execute execute_no_trans getattr ioctl map open read }; [ unconfined_login ]:True
        allow unconfined_login_domain unconfined_t:process transition; [ unconfined_login ]:True
        allow unconfined_t unconfined_login_domain:fd use; [ unconfined_login ]:True
        allow unconfined_t unconfined_login_domain:fifo_file { append getattr ioctl lock open read write }; [ unconfined_login ]:True
        allow unconfined_t unconfined_login_domain:process sigchld; [ unconfined_login ]:True

        # seinfo -a unconfined_login_domain -x

        Type Attributes: 1
        attribute unconfined_login_domain;
        chroot_user_t
        crond_t
        local_login_t
        remote_login_t
        rshd_t
        sshd_t
        sulogin_t
        -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

        From above, I'd expect when boolean is off, that shell services (e.g. sshd) cannot spawn a shell but ... there is an unconditional rule in the policy as well for sshd:

        -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
        # sesearch -A -s sshd_t -t shell_exec_t
        [...]
        allow sshd_t shell_exec_t:file { execute execute_no_trans getattr ioctl map open read }

        ;
        allow sshd_t shell_exec_t:file

        { execute execute_no_trans getattr ioctl map open read }; [ ssh_sysadm_login ]:True
        allow unconfined_login_domain shell_exec_t:file { execute execute_no_trans getattr ioctl map open read }

        ; [ unconfined_login ]:True

                    • 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      Stracing sshd with "--secontext" option shows the context change for the sshd user happens without issue:
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
      39754 [sshd_t] 13:13:41.865154 write(12</proc/39754/task/39754/attr/current> [sshd_t], "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\0", 54) = 54 <0.000142>
      39754 [unconfined_t] 13:13:41.865324 close(12</proc/39754/task/39754/attr/current> [unconfined_t]) = 0 <0.000004>
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      What's wrong?

      Version-Release number of selected component (if applicable):

      selinux-policy-38.1.17-1.el9

      How reproducible:

      Always

      Steps to Reproduce:
      1. Map a user to "unconfined_u"

      1. useradd -Z unconfined_u unconfined
      2. echo "pass" | passwd --stdin unconfined

      2. Disable the boolean

      1. semanage boolean --modify --off unconfined_domain

      3. Try ssh'ing

      1. ssh unconfined@localhost

      Actual results:

      Works

      Expected results:

      Doesn't work

      Additional Information:

      See the following phase in TC#105816 (/CoreOS/selinux-policy/Regression/sshd-general):

      :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
      :: unconfined_login boolean doesn't seem to have any effect on users, bz#2053004
      ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

      :: [ 04:36:41 ] :: [ BEGIN ] :: Running 'semanage boolean -m --off unconfined_login'
      :: [ 04:36:43 ] :: [ PASS ] :: Command 'semanage boolean -m --off unconfined_login' (Expected 0, got 0)
      :: [ 04:36:43 ] :: [ BEGIN ] :: Running 'useradd -Z unconfined_u user23156'
      :: [ 04:36:44 ] :: [ PASS ] :: Command 'useradd -Z unconfined_u user23156' (Expected 0, got 0)
      :: [ 04:36:44 ] :: [ BEGIN ] :: Running 'echo s3kr3T2527 | passwd --stdin user23156'
      :: [ 04:36:45 ] :: [ PASS ] :: Command 'echo s3kr3T2527 | passwd --stdin user23156' (Expected 0, got 0)
      :: [ 04:36:45 ] :: [ BEGIN ] :: User login expected to fail. :: actually running './ssh.exp user23156 s3kr3T2527 localhost id -Z'
      spawn ssh -t user23156@localhost id -Z

      user23156@localhost's password:
      unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
      Connection to localhost closed.

      :: [ 04:36:45 ] :: [ FAIL ] :: User login expected to fail. (Expected 1-255, got 0)
      :: [ 04:36:45 ] :: [ BEGIN ] :: Running 'userdel -rf user23156'
      userdel: user user23156 is currently used by process 51894
      :: [ 04:36:45 ] :: [ PASS ] :: Command 'userdel -rf user23156' (Expected 0, got 0)
      :: [ 04:36:45 ] :: [ BEGIN ] :: Running 'semanage boolean -m --on unconfined_login'
      libsemanage.add_user: user user23156 not in password file
      :: [ 04:36:47 ] :: [ PASS ] :: Command 'semanage boolean -m --on unconfined_login' (Expected 0, got 0)
      ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
      :: Duration: 6s
      :: Assertions: 5 good, 1 bad
      :: RESULT: FAIL (unconfined_login boolean doesn't seem to have any effect on users, bz#2053004)

            rhn-support-zpytela Zdenek Pytela
            omoris Ondrej Moris
            Zdenek Pytela
            Nikola Kňažeková Nikola Kňažeková (Inactive)
            Amith Kumar Peethambaran Amith Kumar Peethambaran
            Jan Fiala Jan Fiala
            Votes:
            0 Vote for this issue
            Watchers:
            13 Start watching this issue

              Created:
              Updated:
              Resolved: