2076681 – Secure_mode boolean allows staff SELinux user switch to unconfined

Bug 2076681 - Secure_mode boolean allows staff SELinux user switch to unconfined

Summary: Secure_mode boolean allows staff SELinux user switch to unconfined

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	9.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	9.1
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Duplicates (1):	2021529 (view as bug list)
Depends On:	1947841
Blocks:	1778780 2021529 2022763 2076682
TreeView+	depends on / blocked

Reported:	2022-04-19 16:25 UTC by Zdenek Pytela
Modified:	2022-11-15 12:57 UTC (History)
CC List:	9 users (show)
Fixed In Version:	selinux-policy-34.1.32-1.el9
Doc Type:	Bug Fix
Doc Text:	.SELinux `staff_u` users no longer can incorrectly switch to `unconfined_r` Previously, when the `secure_mode` boolean was enabled, `staff_u` users could switch to the `unconfined_r` role, which was not expected behavior. As a consequence, `staff_u` users could perform privileged operations affecting the security of the system. With this update, the SELinux policy has been fixed, and `staff_u` users no longer can incorrectly switch to `unconfined_r`.
Clone Of:	1947841
Environment:
Last Closed:	2022-11-15 11:13:17 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-119262	None	None	None	2022-04-19 16:39:26 UTC
Red Hat Issue Tracker	RHELPLAN-119263	None	None	None	2022-04-19 16:39:41 UTC
Red Hat Product Errata	RHBA-2022:8283	None	None	None	2022-11-15 11:13:43 UTC

Comment 1 Zdenek Pytela 2022-04-19 16:27:42 UTC

rhel9# seinfo -xaunpriv_userdomain

Type Attributes: 1
   attribute unpriv_userdomain;
        guest_t
        staff_t
        staff_wine_t
        unconfined_t
^^^
        user_t
        user_wine_t
        xguest_t

There will be a few dependent fixes needed, e. g.
https://bugzilla.redhat.com/show_bug.cgi?id=2076682

Comment 12 Zdenek Pytela 2022-08-03 15:26:13 UTC

*** Bug 2021529 has been marked as a duplicate of this bug. ***

Comment 16 errata-xmlrpc 2022-11-15 11:13:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8283

Note You need to log in before you can comment on or make changes to this bug.