Bug 1379669 - Don't allow staff_u confined users to unconfine themselves via sudo
Summary: Don't allow staff_u confined users to unconfine themselves via sudo
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 25
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-27 12:10 UTC by Daniel Kopeček
Modified: 2016-09-27 12:54 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-27 12:54:53 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Daniel Kopeček 2016-09-27 12:10:40 UTC 
Steps to reproduce:

1.
$ id -Z
uid=1000(user) gid=1000(user) groups=1000(user),10(wheel) context=staff_u:staff_r:staff_t:s0
    
2.
$ sudo -t sysadm_t -r sysadm_r semanage login -m -s unconfined_u user

3.
login again

4.
$ id -Z
uid=1000(user) gid=1000(user) groups=1000(user),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0

Note that user has to be able to run semanage via sudo. This is possible by default for any user marked as "Administrator" (wheel group member) during installation.
Comment 1 Daniel Walsh 2016-09-27 12:54:53 UTC 
If I want to prevent a user from becoming the admin, you should make him the user_u user.  Being able to change the login type of SELinux is the least of your problems when setting up a user as staff_u, and allowing full access to root via sudo.  Simplest thing to do is setenforce 0.
Note You need to log in before you can comment on or make changes to this bug.