Bug 1840851

Summary: Secure_mode boolean allows staff SELinux user switch to unconfined
Product: [Fedora] Fedora Reporter: Nikola Knazekova <nknazeko>
Component: selinux-policyAssignee: Patrik Koncity <pkoncity>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 33CC: dwalsh, grepl.miroslav, lvrabec, mmalik, mtasaka, pkoncity, plautrba, rmetrich, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-14 09:32:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nikola Knazekova 2020-05-27 17:32:23 UTC 
Description of problem:
Secure_mode boolean should prevent confined users from transitioning to sysadm domain or switch to the root user (switch to privileged role). 

Description of the secure_mode boolean:
if secure mode is enabled, then newrole can only transition to unprivileged users

But between unprivileged users is also declared unconfined user:

$ seinfo - xaunpriv_userdomain

Type Attributes : 1
attribute unpri v_user domain ;
guest_t
staff_t
staff_wine_t
unconfined_t
user_t
user_wine_t
xguest_t

When secure_mode boolean is enabled, user staff_u cannot switch to sysadm domain, but they can switch to unconfined domain, and do privileged(admin) operations.

This transition operation should NOT be allowed when secure_mode boolean is enabled:
staff_u:staff_r 🡒 staff_u:unconfined_r 

Version-Release number of selected component (if applicable):
selinux-policy-3.14.5-31.fc32.noarch

How reproducible:

Always

Steps to Reproduce:
1. Enable secure_mode boolean
2. Login as SELinux user staff_u
3. Switch with newrole to unconfined_r

Actual results:
SELinux user staff can switch to unconfined domain

Expected results:
SELinux user staff cannot switch to unconfined domain

Additional info:
Proposed fix: remove unconfined_t from unpriv_user_domain.
Comment 1 Ben Cotton 2020-08-11 15:32:13 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 33 development cycle.
Changing version to 33.
Comment 2 Patrik Koncity 2020-09-04 10:09:41 UTC 
PR: https://github.com/fedora-selinux/selinux-policy/pull/427
Comment 3 Zdenek Pytela 2020-10-01 15:02:06 UTC 
Backported to f33:
https://github.com/fedora-selinux/selinux-policy/pull/451
Comment 4 Zdenek Pytela 2020-10-15 19:37:09 UTC 
Please refer to
https://bugzilla.redhat.com/show_bug.cgi?id=1886196

for the latest report.
Comment 5 Patrik Koncity 2020-11-05 10:40:00 UTC 
New PR: https://github.com/fedora-selinux/selinux-policy/pull/463
Comment 6 Zdenek Pytela 2021-07-13 16:17:46 UTC 
Merged in rawhide and submitted for F33:
https://github.com/fedora-selinux/selinux-policy/pull/803