fedora-selinux June 2009 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: su or sudo from unconfined user to confined

Re: su or sudo from unconfined user to confined user

From: Stephen Smalley <sds_at_nospam>
Date: Tue Jun 23 2009 - 17:05:51 GMT
To: Dominick Grift <domg472@gmail.com>


On Tue, 2009-06-23 at 12:20 -0400, Stephen Smalley wrote:
> On Tue, 2009-06-23 at 17:17 +0200, Dominick Grift wrote:
> > It is possible i think yes.
>
> I could be wrong, but I think the original poster wanted a way he could
> switch to another user's security context in its entirety using su or
> sudo. Which today we do not support.
>
> The original (and current) view is that the SELinux user field should
> only get set when a session is created, and only role, type, and level
> can change within a session and only then if within the authorized roles
> and levels for the user. That bounds access escalation within a login
> session. su doesn't affect the SELinux security context, and
> newrole/sudo are limited to changing role, type, or level.
>
> In early Fedora and RHEL 4, there was support for switching the entire
> security context upon su, but that was removed. To re-instate it, you
> would need to do two things:
> 1) Add the necessary policy rules to allow su to switch the entire
> context. Look at the rules under an ifdef distro_rhel4 in su.if in the
> refpolicy for example. You could add those as a local policy module
> rather than rebuilding the base policy.
> 2) Add pam_selinux entries to /etc/pam.d/su. Look in /etc/pam.d/login
> for an example of how to do so.
>
> And I can't guarantee it will still work, as no one uses it that way
> anymore.

Oh, but I forgot that he is starting from unconfined_t, so it isn't quite that complicated, as su doesn't even run in its own domain when called by unconfined_t.

This worked for me:
# vi foo.te
policy_module(foo, 1.0)

require { type unconfined_t; type user_t; role unconfined_r; role user_r;
}

allow unconfined_t user_t:process transition; allow unconfined_r user_r; # make -f /usr/share/selinux/devel/Makefile foo.pp # semodule -i foo.pp # runcon user_u:user_r:user_t:s0 /bin/bash # id -Z
user_u:user_r:user_t:s0

So you could use runcon to switch contexts (since you are starting from unconfined_t), and then use su to switch Linux uid. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list