Bug 1356245

Summary: guest_t can run sudo
Product: [Fedora] Fedora Reporter: Simon Sekidde <ssekidde>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 25CC: dominick.grift, dwalsh, jjelen, lvrabec, mgrepl, plautrba, rvdwees
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-204.fc25 selinux-policy-3.13.1-191.8.fc24 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1357857 1357860 (view as bug list) Environment:
Last Closed: 2016-08-31 08:05:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1357857, 1357859, 1357860, 1376826, 1378463    

Description Simon Sekidde 2016-07-13 19:39:11 UTC
Description of problem:

guest_t can run sudo (probably user_t and xguest_t domains as well?)

Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-201.fc25.noarch

How reproducible:
100%

Steps to Reproduce:
1. useradd -Z guest_u joe_guest && echo redhat | passwd --stdin joe_guest
2. visudo and add line 'joe_guest ALL=(ALL)     ALL'
3. ssh login as joe_guest
4. id -Z
guest_u:guest_r:guest_t:s0
5.$ head -5 /etc/shadow
head: cannot open '/etc/shadow' for reading: Permission denied

Actual results:

$ sudo head -5 /etc/shadow
root:$6$2CPWYCgI.ogFQ232$BbM1Qox9zCHT9IjOU.zCHDtIrnqAqJZzlRvyZWaOntOU6ZvwKlj5kw6O1CGcb5w7q1a5oUSMC8uvmxHf4TwGl/::0:99999:7:::
bin:*:16853:0:99999:7:::
daemon:*:16853:0:99999:7:::
adm:*:16853:0:99999:7:::
lp:*:16853:0:99999:7:::

Expected results:

$ sudo head -5 /etc/shadow
sudo: unable to stat /var/db/sudo: Permission denied
...
[sudo] password for joe_guest:
head: cannot open `/etc/shadow' for reading: Permission denied

Additional info:

Table 3.1. SELinux User Capabilities
http://bit.ly/29xrtmT

Comment 8 Jan Kurik 2016-07-26 04:38:23 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.

Comment 9 Fedora Update System 2016-07-27 10:38:39 UTC
openssh-7.2p2-11.fc24 selinux-policy-3.13.1-191.8.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-99191c4aab

Comment 10 Fedora Update System 2016-07-27 12:06:38 UTC
openssh-7.2p2-5.fc23 selinux-policy-3.13.1-158.22.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-9402100276

Comment 11 Fedora Update System 2016-07-28 04:17:25 UTC
openssh-7.2p2-5.fc23, selinux-policy-3.13.1-158.22.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-9402100276

Comment 12 Fedora Update System 2016-07-28 05:58:39 UTC
openssh-7.2p2-11.fc24, selinux-policy-3.13.1-191.8.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-99191c4aab

Comment 13 Fedora Update System 2016-08-01 16:24:19 UTC
openssh-7.2p2-11.fc24, selinux-policy-3.13.1-191.8.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Lukas Vrabec 2016-08-31 08:05:19 UTC
This issue is fixed in current openssh and selinux-policy package.