Bug 2053004
| Summary: | "unconfined_login" boolean doesn't seem to have any effect on users | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | NEW --- | QA Contact: | Amith <apeetham> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 8.5 | CC: | lvrabec, mmalik |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.9 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Description of problem: The "unconfined_login" boolean is supposed to "allow users to login as an unconfined domain" (i.e. "unconfined_t"). Turning OFF this boolean doesn't seem to have any effect, at least on sshd: a user mapped to unconfined_u can still log in: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- $ ssh unconfined@vm-confined8 [unconfined@vm-confined8 ~]$ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- The policy shows the following rules being added when "unconfined_login" is enabled: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- # sesearch -A -b unconfined_login allow unconfined_login_domain bin_t:dir { getattr ioctl lock open read search }; [ unconfined_login ]:True allow unconfined_login_domain bin_t:dir { getattr open search }; [ unconfined_login ]:True allow unconfined_login_domain bin_t:dir { getattr open search }; [ unconfined_login ]:True allow unconfined_login_domain bin_t:lnk_file { getattr read }; [ unconfined_login ]:True allow unconfined_login_domain shell_exec_t:file { execute execute_no_trans getattr ioctl map open read }; [ unconfined_login ]:True allow unconfined_login_domain unconfined_t:process transition; [ unconfined_login ]:True allow unconfined_t unconfined_login_domain:fd use; [ unconfined_login ]:True allow unconfined_t unconfined_login_domain:fifo_file { append getattr ioctl lock open read write }; [ unconfined_login ]:True allow unconfined_t unconfined_login_domain:process sigchld; [ unconfined_login ]:True # seinfo -a unconfined_login_domain -x Type Attributes: 1 attribute unconfined_login_domain; chroot_user_t crond_t local_login_t remote_login_t rshd_t sshd_t sulogin_t -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- From above, I'd expect when boolean is off, that shell services (e.g. sshd) cannot spawn a shell but ... there is an unconditional rule in the policy as well for sshd: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- # sesearch -A -s sshd_t -t shell_exec_t [...] allow sshd_t shell_exec_t:file { execute execute_no_trans getattr ioctl map open read }; allow sshd_t shell_exec_t:file { execute execute_no_trans getattr ioctl map open read }; [ ssh_sysadm_login ]:True allow unconfined_login_domain shell_exec_t:file { execute execute_no_trans getattr ioctl map open read }; [ unconfined_login ]:True -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Stracing sshd with "--secontext" option shows the context change for the sshd user happens without issue: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- 39754 [sshd_t] 13:13:41.865154 write(12</proc/39754/task/39754/attr/current> [sshd_t], "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\0", 54) = 54 <0.000142> 39754 [unconfined_t] 13:13:41.865324 close(12</proc/39754/task/39754/attr/current> [unconfined_t]) = 0 <0.000004> -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- What's wrong? Version-Release number of selected component (if applicable): selinux-policy-3.14.3-80.el8_5.2.noarch How reproducible: Always Steps to Reproduce: 1. Map a user to "unconfined_u" # useradd -Z unconfined_u unconfined # echo "pass" | passwd --stdin unconfined 2. Disable the boolean # semanage boolean --modify --off unconfined_domain 3. Try ssh'ing # ssh unconfined@localhost Actual results: Works Expected results: Doesn't work