1922450 – staff_u users can utilize newrole, resulting in ability to access su directly

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1922450 - staff_u users can utilize newrole, resulting in ability to access su directly

Summary: staff_u users can utilize newrole, resulting in ability to access su directly

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.3
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	8.0
Assignee:	Zdenek Pytela
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1778780
TreeView+	depends on / blocked

Reported:	2021-01-29 18:35 UTC by Ryan Mullett
Modified:	2022-01-05 13:43 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-03-25 16:42:57 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Description Ryan Mullett 2021-01-29 18:35:04 UTC

Description of problem:
According to documentation here:

Using SELinux Red Hat Enterprise Linux 8 | Red Hat Customer Portal
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/using_selinux/index#managing-confined-and-unconfined-users_using-selinux

Users with the staff_u role should only be able to access sudo, but should not have access to su. Because staff_u can utilize the newrole command to change to sysadm_r, they can still access su

Version-Release number of selected component (if applicable):
policycoreutils-newrole-2.9-9.el8.x86_64
selinux-policy-3.14.3-54.el8.noarch

How reproducible:
Always

Steps to Reproduce:

1. useradd -Z staff_u someuser -G wheel
2. ssh someuser.com
3. newrole -r sysadm_r
4. id -Z
5. su - will be successful (according to docs this should fail)

Actual results:
su - is successful

Expected results:
According to documentation staff_u should not be able to utilize su, and should be limited to sudo.

Additional info:
In the default configuration, staff_u is listed as having access to staff_r, sysadm_r, and unconfined_r. I expect that this may be expected behavior, and that the issue lies on the documentation side, if so I believe some clarification is needed regarding what the actual limitations of staff_u are.

[root@localhost ~]# semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r

Comment 2 Zdenek Pytela 2021-02-08 21:28:09 UTC

There are 2 ways for staff_u users how to get the sysadm_r role: using sudo or newrole. The scenario described in the bz is a correct way, after the change sysadm_r role should be allowed run su. This is not a bug.

It looks it is the documentation which needs improving as there is only one line containing staff_u together with staff_r and staff_t which does not cover changing users roles. Thank you for reporting it.

Also note the user part of context cannot be changed.

Comment 5 W. de Heiden 2021-02-17 07:47:33 UTC

"There are 2 ways for staff_u users how to get the sysadm_r role: using sudo or newrole." Well, there is a third option; I can login using userx/sysadm_r.com. (when the boolean ssh_sysadm_login is enabled)

Comment 7 Zdenek Pytela 2021-03-25 16:42:57 UTC

The problem reported in this bz is not a selinux-policy bug.
The documentation ambiguity will eventually be addressed by distinguishing between users and roles.

Note You need to log in before you can comment on or make changes to this bug.