Bug 2076681 - Secure_mode boolean allows staff SELinux user switch to unconfined
Summary: Secure_mode boolean allows staff SELinux user switch to unconfined
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: selinux-policy
Version: 9.0
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: 9.1
Assignee: Zdenek Pytela
QA Contact: Milos Malik
Mirek Jahoda
URL:
Whiteboard:
: 2021529 (view as bug list)
Depends On: 1947841
Blocks: 1778780 2021529 2022763 2076682
TreeView+ depends on / blocked
 
Reported: 2022-04-19 16:25 UTC by Zdenek Pytela
Modified: 2022-11-15 12:57 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-34.1.32-1.el9
Doc Type: Bug Fix
Doc Text:
.SELinux `staff_u` users no longer can incorrectly switch to `unconfined_r` Previously, when the `secure_mode` boolean was enabled, `staff_u` users could switch to the `unconfined_r` role, which was not expected behavior. As a consequence, `staff_u` users could perform privileged operations affecting the security of the system. With this update, the SELinux policy has been fixed, and `staff_u` users no longer can incorrectly switch to `unconfined_r`.
Clone Of: 1947841
Environment:
Last Closed: 2022-11-15 11:13:17 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-119262 0 None None None 2022-04-19 16:39:26 UTC
Red Hat Issue Tracker RHELPLAN-119263 0 None None None 2022-04-19 16:39:41 UTC
Red Hat Product Errata RHBA-2022:8283 0 None None None 2022-11-15 11:13:43 UTC

Comment 1 Zdenek Pytela 2022-04-19 16:27:42 UTC
rhel9# seinfo -xaunpriv_userdomain

Type Attributes: 1
   attribute unpriv_userdomain;
        guest_t
        staff_t
        staff_wine_t
        unconfined_t
^^^
        user_t
        user_wine_t
        xguest_t

There will be a few dependent fixes needed, e. g.
https://bugzilla.redhat.com/show_bug.cgi?id=2076682

Comment 12 Zdenek Pytela 2022-08-03 15:26:13 UTC
*** Bug 2021529 has been marked as a duplicate of this bug. ***

Comment 16 errata-xmlrpc 2022-11-15 11:13:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8283


Note You need to log in before you can comment on or make changes to this bug.