Bug 2230857

Summary: MLS: logging in through ssh as root ends up being "staff_t" instead of "sysadm_t"
Product: Red Hat Enterprise Linux 9 Reporter: Renaud Métrich <rmetrich>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: NEW --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.2CC: lvrabec, mmalik, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2023-08-10 07:40:01 UTC
Description of problem:

On my freshly setup MLS system, I can see that logging in as root through ssh ends up getting "staff_t" context:
~~~
-bash: /root/.bash_profile: Permission denied
[root@vm-mls9 ~]# id -Z
root:staff_r:staff_t:s0-s15:c0.c1023
~~~

Version-Release number of selected component (if applicable):

selinux-policy-mls-38.1.11-2.el9_2.3.noarch

How reproducible:

Always

Additional info:

Our doc [1] states the context should be sysadm_t (hence we cannot login without the boolean) but apparently there is some bug here.

~~~
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/using_selinux/using-multi-level-security-mls_using-selinux#switching-the-selinux-policy-to-mls_using-multi-level-security-mls

Important note:
[...]
Also note that in MLS, SSH logins as the root user mapped to the sysadm_r SELinux role differ from logging in as root in staff_r.
~~~

Comment 1 Renaud Métrich 2023-08-11 06:28:10 UTC
The root cause is the below line in /etc/selinux/mls/contexts/users/root:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
#
# Uncomment if you want to automatically login as sysadm_r
#
#system_r:sshd_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

I think this is non-sense because logging in as root with default staff_t context makes the root user become unusable.

Anyway, either the documentation of this line has to be modified.