Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-63086

[RFE] Create boolean to allow selinux staff_t users to use "su"

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Undefined Undefined
    • None
    • rhel-9.4
    • selinux-policy
    • None
    • No
    • Moderate
    • rhel-sst-security-selinux
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • None
    • None
    • Unspecified Release Note Type - Unknown
    • None

      Proposed title of this feature request 

      Request to add an selinux boolean to allow users mapped to staff_u role to be able to execute "su". 

      What is the nature and description of the request?

      Confined users with staff_u context should be able to execute "su" to log in as other user accounts that they manage.

      Why does the customer need this? (List the business requirements here)

      There is an inconstancy between SELinux policy and the purpose/intent/history of the su program.  This can be seen in the manual page for su, which says " su is mostly designed for unprivileged users".

      Using SSH instead of su is an inadequate workaround.  From an audit perspective, use of su is preferable, because the logs clearly show escalation, and include both accounts.

      Restricting access to su means we cannot make use of the PAM stack and /etc/pam.d/su.   This means we cannot take advantage of solutions like https://access.redhat.com/solutions/64860.

      We're left to choose between forgoing SELinux roles entirely (and being unable to satisfy V-254520) or granting the sysadm role to accounts that shouldn't have it.

       
      We expect our system administators to be able to SSH into a system using their non-admin account (with the staff_u role), then run su to switch to their admin account (with the sysadm_u role).

      We expect our priviledged users to be able to SSH into a system using their non-admin account (with the staff_u role), then run su to switch to their privledged user account (with another role like dbadm_r or webadm_r).

      This configuration would be consistent with RHEL 8 STIG rule V-254520 (which requires non-admin accounts to have the user_u role, while administrative users have the staff_r or sysadm_r role).

      This expected behavior is blocked by the portion of the selinux policy that restricts use of su to the sysadm_u role.  

      How would the customer like to achieve this? (List the functional requirements here)

      {{}}

      Add an selinux boolean to enable "su" access for staff_u users.

      For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

      When the boolean is enabled, we should be able to test the functionality by creating a user mapped to the staff_u context and then execute "su" to log in as another user with that user's password.

      Is there already an existing RFE upstream or in Red Hat Bugzilla?

      {{}}

      No

      Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL8, RHEL9)?

      {{}}

      RHEL 9

      Is the sales team involved in this request and do they have any additional input?

      {{}}

      No

      List any affected packages or components.

      {{}}

      policycoreutils-python-utils
      selinux-policy

      Would the customer be able to assist in testing this functionality if implemented?

      {{}}

      Yes

              rhn-support-zpytela Zdenek Pytela
              rhn-support-lagordon Kaitlin Gordon
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: