-
Bug
-
Resolution: Won't Do
-
Normal
-
rhel-8.6.0
-
None
-
Moderate
-
rhel-sst-security-selinux
-
ssg_security
-
None
-
QE ack, Dev ack
-
False
-
-
None
-
None
-
None
-
None
-
If docs needed, set a value
-
-
All
-
None
Description of problem:
Through handling some case, I went with discovering that passwd and chpasswd executables (labeled with "passwd_exec_t") were not always executing in appropriate context "passwd_t".
The transition happens for only a few source types, including "unconfined_t":
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
...
type_transition cloud_init_t passwd_exec_t:process passwd_t;
type_transition unconfined_t passwd_exec_t:process passwd_t;
type_transition virt_qemu_ga_t passwd_exec_t:process passwd_t;
...
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
This leads to having "initrc_t" and "unconfined_service_t" services be able to write to /etc/shadow and other sensitive files without any restriction:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
- sesearch -A -s initrc_t -t shadow_t -c file -p write
allow files_unconfined_type file_type:file { append audit_access create execute execute_no_trans getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto rename setattr swapon unlink write };
-
-
-
-
-
-
- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
-
-
-
-
-
-
IMHO this is not good. There should be transitions to avoid running "somehow unconfined" when calling these binaries.
Version-Release number of selected component (if applicable):
selinux-policy including Fedora 36 one
How reproducible:
Always
Steps to Reproduce:
1. Create a testuser
- useradd testuser
2. Strace systemd
- strace -fttTvyy --secontext -s 128 -o passwd.strace -p 1
3. Change its password from a service running unconfined_service_t or initrc_t
- systemd-run --unit passwd_initrc.service /bin/sh -c "echo testuser:redhat | chpasswd"
- echo -e '#!/bin/sh\necho testuser:redhat | chpasswd' > /usr/local/bin/testscript
- chmod +x /usr/local/bin/testscript
- systemd-run --unit passwd_unconfined_service.service /usr/local/bin/testscript
Actual results:
"chpasswd" runs as "initrc_t" or "unconfined_service_t":
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
- grep "/etc/shadow" passwd.strace | grep write
...
2844 [initrc_t] 12:23:42.616402 write(7</etc/shadow+> [shadow_t], "root:notsecret::0:99999:7:::\nbi"..., 2102) = 2102 <0.000013>
...
3003 [unconfined_service_t] 12:26:08.683463 write(7</etc/shadow+> [shadow_t], "root:notsecret::0:99999:7:::\nbi"..., 2099) = 2099 <0.000013>-
-
-
-
-
-
- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
-
-
-
-
-
-
Expected results:
Executing as "passwd_t"
- is cloned by
-
-
- Closed
-
- external trackers
