Bug 1947841
Summary: | Secure_mode boolean allows staff SELinux user switch to unconfined | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> | |
Component: | selinux-policy | Assignee: | Patrik Koncity <pkoncity> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | medium | Docs Contact: | Khushbu Borole <kborole> | |
Priority: | high | |||
Version: | 8.3 | CC: | kborole, lvrabec, mjahoda, mmalik, pkoncity, plautrba, ssekidde, wdh, zpytela | |
Target Milestone: | rc | Keywords: | Triaged | |
Target Release: | 8.5 | Flags: | kborole:
needinfo-
|
|
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-3.14.3-74.el8 | Doc Type: | Bug Fix | |
Doc Text: |
.SELinux policy now prevents `staff_u` users from switching to `unconfined_r`
Previously, when the `secure_mode` boolean was enabled, `staff_u` users could incorrectly switch to the `unconfined_r` role. As a consequence, `staff_u` users could perform privileged operations affecting the security of the system. With this fix, SELinux policy prevents `staff_u` users from switching to the `unconfined_r` role using the `newrole` command. As a result, unprivileged users cannot run privileged operations.
|
Story Points: | --- | |
Clone Of: | ||||
: | 2021529 2022763 2076681 (view as bug list) | Environment: | ||
Last Closed: | 2021-11-09 19:43:05 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1778780, 2021529, 2022763, 2076681 |
Description
Renaud Métrich
2021-04-09 11:34:13 UTC
Yes of course, Zdenek we need add this PR to RHEL-8. PR: https://github.com/fedora-selinux/selinux-policy/pull/458/commits/f01a2ea9d11def18b671a5f76a52a3d17081e3b8 and merge and add this : https://github.com/fedora-selinux/selinux-policy/pull/463 which is new PR of reverted commit : https://github.com/fedora-selinux/selinux-policy/pull/459 Old commit to backport: commit 74aaf7b608f6cb8147a2bead99117a9ec131c057 Author: Patrik Koncity <pkoncity> Date: Fri Oct 16 15:37:30 2020 +0200 Allow transition from xdm domain to unconfined_t domain. After removing unconfined_t domain from unpriv_userdomain attribute (BG: https://bugzilla.redhat.com/show_bug.cgi?id=1840851), missed in policy transition from xdm_t to unconfined_t. Create interface unconfined_xsession_spec_domtrans(), which allow execute an Xserver session in unconfined_t domain. Use this interface in xdm_t policy to allow transition from xdm_t to unconfined_t. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1886196 Plus a new one: commit 4b4eec49a5540459b0e89eb2c4a776ee5e9a66ac (HEAD -> rawhide, upstream/rawhide) Author: Patrik Koncity <pkoncity> Date: Fri Oct 23 19:44:45 2020 +0200 Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template When is secure_mode boolean enabled the attribute unpriv_userdomain allow transition only between unprivileged users. But one member this attribute was unconfined_t domain, which had allow privilege operations. Solution was that from userdom_unpriv_type template was remove adding domains to attribute unpriv_userdomain. This template is used only for unconfined_t, so affected only uncofined domain. New PR of reverted commit: https://github.com/fedora-selinux/selinux-policy/pull/459#issuecomment-712374187 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1840851 When a staff_u user is logged in and the secure_mode boolean is enabled, the user cannot switch to unconfined_r. But the user can still log in via ssh and change the role this way: $ ssh staff-user/unconfined_r.137.32 staff-user/unconfined_r.137.32's password: Last login: Tue Jul 20 09:22:15 2021 from 10.40.193.84 [staff-user@ci-vm-10-0-137-32 ~]$ id -Z staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [staff-user@ci-vm-10-0-137-32 ~]$ getsebool secure_mode secure_mode --> on It looks like a fix showed up in CentOS Stream 8: rpm -q --changelog selinux-policy * Fri Jul 16 2021 Zdenek Pytela <zpytela> - 3.14.3-74 - Allow dyntransition from sshd_t to unconfined_t Resolves: rhbz#1947841 ... Using secure mode, this seems to work, becoming unconfined is not allowed. [pimpampet@stream8 ~]$ getsebool secure_mode secure_mode --> on [pimpampet@stream8 ~]$ id -Z staff_u:staff_r:staff_t:s0-s0:c0.c1023 [pimpampet@stream8 ~]$ newrole -r unconfined_r Password: failed to exec shell : Permission denied Turning off the secure_mode, becoming unconfined is allowd: [pimpampet@stream8 ~]$ getsebool secure_mode secure_mode --> off [pimpampet@stream8 ~]$ newrole -r unconfined_r Password: [pimpampet@stream8 ~]$ id -Z staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 However (after turning on secure_mode once again) there are still two other options to become unconfined, despite secure mode: sudo: [pimpampet@stream8 ~]$ getsebool secure_mode secure_mode --> on [pimpampet@stream8 ~]$ sudo -r unconfined_r -i [sudo] password for pimpampet: [root@stream8 ~]# id -Z staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ssh-login: pimpampet/unconfined_r@someserver After login, the user is unconfined; despite secure_mode: [pimpampet@stream8 ~]$ getsebool secure_mode secure_mode --> on [pimpampet@stream8 ~]$ id -Z staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 The latter method even works, despite the boolean unconfined_login being off... Same bug, new bug, different bug...? I believe that the other ways (mentioned in comment#13 and comment#15) of becoming unconfined need to be addressed in a new bug, because it's already too late in the RHEL-8.5 testing phase. OK, newrole -r unconfined_r will no longer work. It works in CentOs Stream8 and will get to RHEL 8.5. Just confirmed it works in RHEL 8.5 Beta. But...: OK, this is very-very-very-very-premature; but trying Daily Builds CentOS Stream 9 (nine!) the fix is not available within the current build. Tested it, does not work. Checked the changelog, the fix is not there. :( Just a critical note... (did I mention this is just very premature...?) (In reply to W. de Heiden from comment #21) > OK, newrole -r unconfined_r will no longer work. It works in CentOs Stream8 > and will get to RHEL 8.5. Just confirmed it works in RHEL 8.5 Beta. But...: > > OK, this is very-very-very-very-premature; but trying Daily Builds CentOS > Stream 9 (nine!) the fix is not available within the current build. Tested > it, does not work. Checked the changelog, the fix is not there. :( > > Just a critical note... > > (did I mention this is just very premature...?) Thanks for spotting this. It took me some time to figure out what had happened: The initial fix was reverted and later fixed again in Fedora and backported to RHEL 8, but RHEL 9 detached from Fedora in the middle of the process. I'l clone this bz. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4420 |