RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1965265 - Confined sysadm_u user cannot switch to unconfined_r role
Summary: Confined sysadm_u user cannot switch to unconfined_r role
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.4
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Patrik Koncity
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 1778780
TreeView+ depends on / blocked
 
Reported: 2021-05-27 10:07 UTC by Renaud Métrich
Modified: 2022-01-05 13:43 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-14 11:36:07 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Renaud Métrich 2021-05-27 10:07:01 UTC 
Description of problem:

Even though the allowed roles for sysadm_u user are sysadm_r and unconfined_r, there is no rule in the policy to allow switching to unconfined_r, which is mandatory to be able to administer a system (see BZ #1965251 in particular):

# semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r unconfined_r
system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r


# sesearch --role_allow | grep unconfined_r
allow staff_r unconfined_r;
allow system_r unconfined_r;
allow system_r unconfined_r;
allow system_r unconfined_r;
allow unconfined_r system_r;

Additionally staff_r can, but not sysadm_r, which seems non-sense to me.


On systems with all users confined, and root account disabled, sysadm_u must be able to become unconfined if necessary.


Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.14.3-67.el8.noarch


How reproducible:

N/A
Comment 1 Patrik Koncity 2021-06-07 10:57:17 UTC 
Hi Renaud,

do you really use RHEL-8.4.0? 

I have showed list of confined users with roles and levels for an SELinux user and I didn't find that sysadm_u should have the unconfined_r role enabled.

[root@ci-vm-10-0-136-216 ~]# semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r

I have used machine with RHEL-8.4.0-released.
Comment 2 Renaud Métrich 2021-06-07 11:07:29 UTC 
Indeed, on a freshly installed 8.4.0 there is no unconfined_r role for sysadm_u, I must have used a modified system, sorry for that.
Anyway for now, due to BZ #1965251 and others, this role is required for sysadm_u, otherwise administration is not possible at all.
Comment 3 Patrik Koncity 2021-06-14 11:36:07 UTC 
Hi Renaud,

I have investigated, why sysadm_u cannot switch to unconfined_r role and I find, that sysamd_u was designed to similar functions as root, so It's nonsense to allow switching from sysamd_u to unconfined_r.

But for you I describe, how can you allow switching from sysadm_u to unconfined_r. 

First of all you need to have installed selinux-policy-devel.

# dnf install selinux-policy-devel

Steps how allow switching from sysadm_u to unconfined_r:


# semanage user -m -R "sysadm_r unconfined_r" sysadm_u

Then you need to create local.te file.
Copy paste to local.te file this:


policy_module(local, 1.0)

       require {
               role unconfined_r;
               role sysadm_r;
        };

unconfined_role_change(sysadm_r)



Then you need compile .te file this way:

$ make -f /usr/share/selinux/devel/Makefile local.pp

and then load this new module to policy.

$ semodule -i local.pp


Now you should be able to switch users for example via newrole.

Also when you mentioned BZ #1965251 we will try to make to proper fix, without switching to unconfined_r.

Regards,
Patrik.
Comment 4 Markus Iturriaga 2021-06-14 13:33:46 UTC 
(In reply to Patrik Koncity from comment #3)
> Hi Renaud,
> 
> I have investigated, why sysadm_u cannot switch to unconfined_r role and I
> find, that sysamd_u was designed to similar functions as root, so It's
> nonsense to allow switching from sysamd_u to unconfined_r.
> 

Hi Patrick - The sysadm_r role cannot do some of the more basic system administration tasks via sudo. Also, it is possible for staff_u to transition to unconfined_r but not for sysadm_u. That does not seem correct since staff_u is supposed to have fewer privileges not more. As I remarked in BZ #1919122, you can run *some* commands if you're in a root shell (via sudo -i) but there are many others that sysadm_u simply cannot run. The only SELinux user that can run these appears to be unconfined_u:

RH8.4:root:com1980 ~> id -Z
sysadm_u:sysadm_r:sysadm_t:s0

RH8.4:root:com1980 ~> gdisk /dev/sda
GPT fdisk (gdisk) version 1.0.3

Problem opening /dev/sda for reading! Error is 13.
You must run this program as root or use sudo!


Interesting side note: The STIG for RHEL7 requires that all system administrators be mapped to sysadm_u or staff_u (https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2020-01-02/finding/V-71971) but I did not find the same requirement in the STIG for RHEL8 (https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/). 

So, is the "solution" to map system administrators to staff_u (which, incomprehensibly *can* transition) or directly to unconfined_u? 

Thanks!
Comment 5 Patrik Koncity 2021-06-14 14:21:39 UTC 
Hi Markus,

we know about that and we are in progress to allow all necessary commands for sysadm_u. Allow switch from sysadm_u to unconfined_r is only hot fix.

Patrik
Note You need to log in before you can comment on or make changes to this bug.