Description of problem: guest_t can run sudo (probably user_t and xguest_t domains as well?) Version-Release number of selected component (if applicable): selinux-policy-3.13.1-201.fc25.noarch How reproducible: 100% Steps to Reproduce: 1. useradd -Z guest_u joe_guest && echo redhat | passwd --stdin joe_guest 2. visudo and add line 'joe_guest ALL=(ALL) ALL' 3. ssh login as joe_guest 4. id -Z guest_u:guest_r:guest_t:s0 5.$ head -5 /etc/shadow head: cannot open '/etc/shadow' for reading: Permission denied Actual results: $ sudo head -5 /etc/shadow root:$6$2CPWYCgI.ogFQ232$BbM1Qox9zCHT9IjOU.zCHDtIrnqAqJZzlRvyZWaOntOU6ZvwKlj5kw6O1CGcb5w7q1a5oUSMC8uvmxHf4TwGl/::0:99999:7::: bin:*:16853:0:99999:7::: daemon:*:16853:0:99999:7::: adm:*:16853:0:99999:7::: lp:*:16853:0:99999:7::: Expected results: $ sudo head -5 /etc/shadow sudo: unable to stat /var/db/sudo: Permission denied ... [sudo] password for joe_guest: head: cannot open `/etc/shadow' for reading: Permission denied Additional info: Table 3.1. SELinux User Capabilities http://bit.ly/29xrtmT
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle. Changing version to '25'.
openssh-7.2p2-11.fc24 selinux-policy-3.13.1-191.8.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-99191c4aab
openssh-7.2p2-5.fc23 selinux-policy-3.13.1-158.22.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-9402100276
openssh-7.2p2-5.fc23, selinux-policy-3.13.1-158.22.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-9402100276
openssh-7.2p2-11.fc24, selinux-policy-3.13.1-191.8.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-99191c4aab
openssh-7.2p2-11.fc24, selinux-policy-3.13.1-191.8.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
This should go the sshd_t: https://github.com/fedora-selinux/selinux-policy/commit/ca094ff25a544b684b05aece35a03e132f4c7e1c
This issue is fixed in current openssh and selinux-policy package.