Bug 1947841
| Summary: | Secure_mode boolean allows staff SELinux user switch to unconfined | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> | |
| Component: | selinux-policy | Assignee: | Patrik Koncity <pkoncity> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | Khushbu Borole <kborole> | |
| Priority: | high | |||
| Version: | 8.3 | CC: | kborole, lvrabec, mjahoda, mmalik, pkoncity, plautrba, ssekidde, wdh, zpytela | |
| Target Milestone: | rc | Keywords: | Triaged | |
| Target Release: | 8.5 | Flags: | kborole:
needinfo-
|
|
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.14.3-74.el8 | Doc Type: | Bug Fix | |
| Doc Text: |
.SELinux policy now prevents `staff_u` users from switching to `unconfined_r`
Previously, when the `secure_mode` boolean was enabled, `staff_u` users could incorrectly switch to the `unconfined_r` role. As a consequence, `staff_u` users could perform privileged operations affecting the security of the system. With this fix, SELinux policy prevents `staff_u` users from switching to the `unconfined_r` role using the `newrole` command. As a result, unprivileged users cannot run privileged operations.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 2021529 2022763 2076681 (view as bug list) | Environment: | ||
| Last Closed: | 2021-11-09 19:43:05 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1778780, 2021529, 2022763, 2076681 | |||
|
Description
Renaud Métrich
2021-04-09 11:34:13 UTC
Yes of course, Zdenek we need add this PR to RHEL-8. PR: https://github.com/fedora-selinux/selinux-policy/pull/458/commits/f01a2ea9d11def18b671a5f76a52a3d17081e3b8 and merge and add this : https://github.com/fedora-selinux/selinux-policy/pull/463 which is new PR of reverted commit : https://github.com/fedora-selinux/selinux-policy/pull/459 Old commit to backport:
commit 74aaf7b608f6cb8147a2bead99117a9ec131c057
Author: Patrik Koncity <pkoncity>
Date: Fri Oct 16 15:37:30 2020 +0200
Allow transition from xdm domain to unconfined_t domain.
After removing unconfined_t domain from unpriv_userdomain
attribute (BG: https://bugzilla.redhat.com/show_bug.cgi?id=1840851),
missed in policy transition from xdm_t to unconfined_t.
Create interface unconfined_xsession_spec_domtrans(), which allow
execute an Xserver session in unconfined_t domain.
Use this interface in xdm_t policy to allow transition from
xdm_t to unconfined_t.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1886196
Plus a new one:
commit 4b4eec49a5540459b0e89eb2c4a776ee5e9a66ac (HEAD -> rawhide, upstream/rawhide)
Author: Patrik Koncity <pkoncity>
Date: Fri Oct 23 19:44:45 2020 +0200
Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template
When is secure_mode boolean enabled the attribute unpriv_userdomain allow transition
only between unprivileged users. But one member this attribute was unconfined_t
domain, which had allow privilege operations. Solution was that from userdom_unpriv_type
template was remove adding domains to attribute unpriv_userdomain. This template is used only
for unconfined_t, so affected only uncofined domain.
New PR of reverted commit:
https://github.com/fedora-selinux/selinux-policy/pull/459#issuecomment-712374187
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1840851
When a staff_u user is logged in and the secure_mode boolean is enabled, the user cannot switch to unconfined_r. But the user can still log in via ssh and change the role this way: $ ssh staff-user/unconfined_r.137.32 staff-user/unconfined_r.137.32's password: Last login: Tue Jul 20 09:22:15 2021 from 10.40.193.84 [staff-user@ci-vm-10-0-137-32 ~]$ id -Z staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [staff-user@ci-vm-10-0-137-32 ~]$ getsebool secure_mode secure_mode --> on It looks like a fix showed up in CentOS Stream 8: rpm -q --changelog selinux-policy * Fri Jul 16 2021 Zdenek Pytela <zpytela> - 3.14.3-74 - Allow dyntransition from sshd_t to unconfined_t Resolves: rhbz#1947841 ... Using secure mode, this seems to work, becoming unconfined is not allowed. [pimpampet@stream8 ~]$ getsebool secure_mode secure_mode --> on [pimpampet@stream8 ~]$ id -Z staff_u:staff_r:staff_t:s0-s0:c0.c1023 [pimpampet@stream8 ~]$ newrole -r unconfined_r Password: failed to exec shell : Permission denied Turning off the secure_mode, becoming unconfined is allowd: [pimpampet@stream8 ~]$ getsebool secure_mode secure_mode --> off [pimpampet@stream8 ~]$ newrole -r unconfined_r Password: [pimpampet@stream8 ~]$ id -Z staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 However (after turning on secure_mode once again) there are still two other options to become unconfined, despite secure mode: sudo: [pimpampet@stream8 ~]$ getsebool secure_mode secure_mode --> on [pimpampet@stream8 ~]$ sudo -r unconfined_r -i [sudo] password for pimpampet: [root@stream8 ~]# id -Z staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ssh-login: pimpampet/unconfined_r@someserver After login, the user is unconfined; despite secure_mode: [pimpampet@stream8 ~]$ getsebool secure_mode secure_mode --> on [pimpampet@stream8 ~]$ id -Z staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 The latter method even works, despite the boolean unconfined_login being off... Same bug, new bug, different bug...? I believe that the other ways (mentioned in comment#13 and comment#15) of becoming unconfined need to be addressed in a new bug, because it's already too late in the RHEL-8.5 testing phase. OK, newrole -r unconfined_r will no longer work. It works in CentOs Stream8 and will get to RHEL 8.5. Just confirmed it works in RHEL 8.5 Beta. But...: OK, this is very-very-very-very-premature; but trying Daily Builds CentOS Stream 9 (nine!) the fix is not available within the current build. Tested it, does not work. Checked the changelog, the fix is not there. :( Just a critical note... (did I mention this is just very premature...?) (In reply to W. de Heiden from comment #21) > OK, newrole -r unconfined_r will no longer work. It works in CentOs Stream8 > and will get to RHEL 8.5. Just confirmed it works in RHEL 8.5 Beta. But...: > > OK, this is very-very-very-very-premature; but trying Daily Builds CentOS > Stream 9 (nine!) the fix is not available within the current build. Tested > it, does not work. Checked the changelog, the fix is not there. :( > > Just a critical note... > > (did I mention this is just very premature...?) Thanks for spotting this. It took me some time to figure out what had happened: The initial fix was reverted and later fixed again in Fedora and backported to RHEL 8, but RHEL 9 detached from Fedora in the middle of the process. I'l clone this bz. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4420 |