Description of problem: Secure_mode boolean should prevent confined users from transitioning to sysadm domain or switch to the root user (switch to privileged role). Description of the secure_mode boolean: if secure mode is enabled, then newrole can only transition to unprivileged users But between unprivileged users is also declared unconfined user: $ seinfo - xaunpriv_userdomain Type Attributes : 1 attribute unpri v_user domain ; guest_t staff_t staff_wine_t unconfined_t user_t user_wine_t xguest_t When secure_mode boolean is enabled, user staff_u cannot switch to sysadm domain, but they can switch to unconfined domain, and do privileged(admin) operations. This transition operation should NOT be allowed when secure_mode boolean is enabled: staff_u:staff_r 🡒 staff_u:unconfined_r Version-Release number of selected component (if applicable): selinux-policy-3.14.5-31.fc32.noarch How reproducible: Always Steps to Reproduce: 1. Enable secure_mode boolean 2. Login as SELinux user staff_u 3. Switch with newrole to unconfined_r Actual results: SELinux user staff can switch to unconfined domain Expected results: SELinux user staff cannot switch to unconfined domain Additional info: Proposed fix: remove unconfined_t from unpriv_user_domain.
This bug appears to have been reported against 'rawhide' during the Fedora 33 development cycle. Changing version to 33.
PR: https://github.com/fedora-selinux/selinux-policy/pull/427
Backported to f33: https://github.com/fedora-selinux/selinux-policy/pull/451
Please refer to https://bugzilla.redhat.com/show_bug.cgi?id=1886196 for the latest report.
New PR: https://github.com/fedora-selinux/selinux-policy/pull/463
Merged in rawhide and submitted for F33: https://github.com/fedora-selinux/selinux-policy/pull/803