Bug 1965265

Summary: Confined sysadm_u user cannot switch to unconfined_r role
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: selinux-policyAssignee: Patrik Koncity <pkoncity>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: high    
Version: 8.4CC: lvrabec, miturria, mmalik, pkoncity, plautrba, ssekidde, wdh, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-14 11:36:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1778780    

Description Renaud Métrich 2021-05-27 10:07:01 UTC 
Description of problem:

Even though the allowed roles for sysadm_u user are sysadm_r and unconfined_r, there is no rule in the policy to allow switching to unconfined_r, which is mandatory to be able to administer a system (see BZ #1965251 in particular):

# semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r unconfined_r
system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r


# sesearch --role_allow | grep unconfined_r
allow staff_r unconfined_r;
allow system_r unconfined_r;
allow system_r unconfined_r;
allow system_r unconfined_r;
allow unconfined_r system_r;

Additionally staff_r can, but not sysadm_r, which seems non-sense to me.


On systems with all users confined, and root account disabled, sysadm_u must be able to become unconfined if necessary.


Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.14.3-67.el8.noarch


How reproducible:

N/A
Comment 1 Patrik Koncity 2021-06-07 10:57:17 UTC 
Hi Renaud,

do you really use RHEL-8.4.0? 

I have showed list of confined users with roles and levels for an SELinux user and I didn't find that sysadm_u should have the unconfined_r role enabled.

[root@ci-vm-10-0-136-216 ~]# semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r

I have used machine with RHEL-8.4.0-released.
Comment 2 Renaud Métrich 2021-06-07 11:07:29 UTC 
Indeed, on a freshly installed 8.4.0 there is no unconfined_r role for sysadm_u, I must have used a modified system, sorry for that.
Anyway for now, due to BZ #1965251 and others, this role is required for sysadm_u, otherwise administration is not possible at all.
Comment 3 Patrik Koncity 2021-06-14 11:36:07 UTC 
Hi Renaud,

I have investigated, why sysadm_u cannot switch to unconfined_r role and I find, that sysamd_u was designed to similar functions as root, so It's nonsense to allow switching from sysamd_u to unconfined_r.

But for you I describe, how can you allow switching from sysadm_u to unconfined_r. 

First of all you need to have installed selinux-policy-devel.

# dnf install selinux-policy-devel

Steps how allow switching from sysadm_u to unconfined_r:


# semanage user -m -R "sysadm_r unconfined_r" sysadm_u

Then you need to create local.te file.
Copy paste to local.te file this:


policy_module(local, 1.0)

       require {
               role unconfined_r;
               role sysadm_r;
        };

unconfined_role_change(sysadm_r)



Then you need compile .te file this way:

$ make -f /usr/share/selinux/devel/Makefile local.pp

and then load this new module to policy.

$ semodule -i local.pp


Now you should be able to switch users for example via newrole.

Also when you mentioned BZ #1965251 we will try to make to proper fix, without switching to unconfined_r.

Regards,
Patrik.
Comment 4 Markus Iturriaga 2021-06-14 13:33:46 UTC 
(In reply to Patrik Koncity from comment #3)
> Hi Renaud,
> 
> I have investigated, why sysadm_u cannot switch to unconfined_r role and I
> find, that sysamd_u was designed to similar functions as root, so It's
> nonsense to allow switching from sysamd_u to unconfined_r.
> 

Hi Patrick - The sysadm_r role cannot do some of the more basic system administration tasks via sudo. Also, it is possible for staff_u to transition to unconfined_r but not for sysadm_u. That does not seem correct since staff_u is supposed to have fewer privileges not more. As I remarked in BZ #1919122, you can run *some* commands if you're in a root shell (via sudo -i) but there are many others that sysadm_u simply cannot run. The only SELinux user that can run these appears to be unconfined_u:

RH8.4:root:com1980 ~> id -Z
sysadm_u:sysadm_r:sysadm_t:s0

RH8.4:root:com1980 ~> gdisk /dev/sda
GPT fdisk (gdisk) version 1.0.3

Problem opening /dev/sda for reading! Error is 13.
You must run this program as root or use sudo!


Interesting side note: The STIG for RHEL7 requires that all system administrators be mapped to sysadm_u or staff_u (https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2020-01-02/finding/V-71971) but I did not find the same requirement in the STIG for RHEL8 (https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/). 

So, is the "solution" to map system administrators to staff_u (which, incomprehensibly *can* transition) or directly to unconfined_u? 

Thanks!
Comment 5 Patrik Koncity 2021-06-14 14:21:39 UTC 
Hi Markus,

we know about that and we are in progress to allow all necessary commands for sysadm_u. Allow switch from sysadm_u to unconfined_r is only hot fix.

Patrik