Bug 1356245 - guest_t can run sudo
Summary: guest_t can run sudo
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 25
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1357857 1357859 1357860 1376826 1378463
TreeView+ depends on / blocked
 
Reported: 2016-07-13 19:39 UTC by Simon Sekidde
Modified: 2016-09-22 13:17 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.13.1-204.fc25 selinux-policy-3.13.1-191.8.fc24
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1357857 1357860 (view as bug list)
Environment:
Last Closed: 2016-08-31 08:05:19 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Simon Sekidde 2016-07-13 19:39:11 UTC 
Description of problem:

guest_t can run sudo (probably user_t and xguest_t domains as well?)

Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-201.fc25.noarch

How reproducible:
100%

Steps to Reproduce:
1. useradd -Z guest_u joe_guest && echo redhat | passwd --stdin joe_guest
2. visudo and add line 'joe_guest ALL=(ALL)     ALL'
3. ssh login as joe_guest
4. id -Z
guest_u:guest_r:guest_t:s0
5.$ head -5 /etc/shadow
head: cannot open '/etc/shadow' for reading: Permission denied

Actual results:

$ sudo head -5 /etc/shadow
root:$6$2CPWYCgI.ogFQ232$BbM1Qox9zCHT9IjOU.zCHDtIrnqAqJZzlRvyZWaOntOU6ZvwKlj5kw6O1CGcb5w7q1a5oUSMC8uvmxHf4TwGl/::0:99999:7:::
bin:*:16853:0:99999:7:::
daemon:*:16853:0:99999:7:::
adm:*:16853:0:99999:7:::
lp:*:16853:0:99999:7:::

Expected results:

$ sudo head -5 /etc/shadow
sudo: unable to stat /var/db/sudo: Permission denied
...
[sudo] password for joe_guest:
head: cannot open `/etc/shadow' for reading: Permission denied

Additional info:

Table 3.1. SELinux User Capabilities
http://bit.ly/29xrtmT
Comment 8 Jan Kurik 2016-07-26 04:38:23 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.
Comment 9 Fedora Update System 2016-07-27 10:38:39 UTC 
openssh-7.2p2-11.fc24 selinux-policy-3.13.1-191.8.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-99191c4aab
Comment 10 Fedora Update System 2016-07-27 12:06:38 UTC 
openssh-7.2p2-5.fc23 selinux-policy-3.13.1-158.22.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-9402100276
Comment 11 Fedora Update System 2016-07-28 04:17:25 UTC 
openssh-7.2p2-5.fc23, selinux-policy-3.13.1-158.22.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-9402100276
Comment 12 Fedora Update System 2016-07-28 05:58:39 UTC 
openssh-7.2p2-11.fc24, selinux-policy-3.13.1-191.8.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-99191c4aab
Comment 13 Fedora Update System 2016-08-01 16:24:19 UTC 
openssh-7.2p2-11.fc24, selinux-policy-3.13.1-191.8.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 Jakub Jelen 2016-08-02 06:32:05 UTC 
This should go the  sshd_t:

https://github.com/fedora-selinux/selinux-policy/commit/ca094ff25a544b684b05aece35a03e132f4c7e1c
Comment 15 Lukas Vrabec 2016-08-31 08:05:19 UTC 
This issue is fixed in current openssh and selinux-policy package.
Note You need to log in before you can comment on or make changes to this bug.