Bug 1376826 - guest_t can run sudo
Summary: guest_t can run sudo
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openssh
Version: 6.8
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: Stefan Dordevic
URL:
Whiteboard:
Depends On: 1356245 1357857 1357859 1357860
Blocks: 1378463
TreeView+ depends on / blocked
 
Reported: 2016-09-16 14:03 UTC by Stefan Kremen
Modified: 2019-12-16 06:47 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1357859
: 1378463 (view as bug list)
Environment:
Last Closed: 2016-11-02 12:00:55 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Comment 7 Jakub Jelen 2016-09-29 08:34:33 UTC 
The main concern in this bug is that confined user guest_t have setuid and setgid SELinux capabilities, which can be "misused" by sudo (or other tools?).

Generally, for running sudo, there are needed underlying Linux capabilities, access to other files and finally being in the sudoers file. The consequence of fixing this bug is mostly hardening SELinux policy, based on the original report. I also asked Miroslav to confirm this explanation and add if I missed something.
Comment 8 Lukas Vrabec 2016-09-29 14:10:29 UTC 
Jakub is right. We should fix this in RHEL-6.
Comment 10 Jakub Jelen 2016-11-02 12:00:55 UTC 
Based on our meeting with Lukas yesterday, we decided to fix this bug only in selinux-policy and therefore this is not bug in OpenSSH.

The openssh in RHEL6 is using special selinux user chroot_user_t which has the permissions to chroot, setuid and setgit permissions.
On the other hand the guest_t users do not need the setuid and setgit permissions, therefore they will be removed based on the selinux-policy bug.
Note You need to log in before you can comment on or make changes to this bug.