| Summary: | Don't allow staff_u confined users to unconfine themselves via sudo | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Daniel Kopeček <dkopecek> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 25 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, plautrba |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-09-27 12:54:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
If I want to prevent a user from becoming the admin, you should make him the user_u user. Being able to change the login type of SELinux is the least of your problems when setting up a user as staff_u, and allowing full access to root via sudo. Simplest thing to do is setenforce 0. |
Steps to reproduce: 1. $ id -Z uid=1000(user) gid=1000(user) groups=1000(user),10(wheel) context=staff_u:staff_r:staff_t:s0 2. $ sudo -t sysadm_t -r sysadm_r semanage login -m -s unconfined_u user 3. login again 4. $ id -Z uid=1000(user) gid=1000(user) groups=1000(user),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0 Note that user has to be able to run semanage via sudo. This is possible by default for any user marked as "Administrator" (wheel group member) during installation.