Bug 2023462

Summary: SELinux boolean secure_mode allows staaf SELinux users to unconfined
Product: Red Hat Enterprise Linux 9 Reporter: Amogh Kulkarni <amkulkar>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: high    
Version: 9.0CC: lvrabec, mmalik, ssekidde, wdh
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-16 07:35:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Amogh Kulkarni 2021-11-15 19:10:40 UTC 
Description of problem:
Secure_mode boolean should prevent confined users from transitioning to sysadm domain or switch to the root user (switch to privileged role). 

Created a brand new RHEL9 beta install.

Created a staff_u user pimpampet:

id -Z
staff_u:staff_r:staff_t:s0-s0:c0.c1023

getsebool secure_mode
secure_mode --> on

rpm -q selinux-policy
selinux-policy-34.1.16-1.el9_b.noarch

newrole -r unconfined_r
Password: 
[pimpampet@rhel9-beta ~]$ id -Z
staff_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

(RHBA-2021:4420 will install selinux-policy 3.14.3-80; more recent than the one currently available in RHEL 9.0 beta)


Steps to Reproduce:
1. Enable secure_mode boolean
2. Login as SELinux user staff_u
3. Switch with newrole to unconfined_r

Actual results:
SELinux user staff can switch to unconfined domain

Expected results:
SELinux user staff cannot switch to unconfined domain

Additional info:
Proposed fix: remove unconfined_t from unpriv_user_domain.
Comment 1 Zdenek Pytela 2021-11-16 07:35:41 UTC 

*** This bug has been marked as a duplicate of bug 2021529 ***