su or sudo from unconfined user to confined user

Stephen Smalley sds at tycho.nsa.gov
Tue Jun 23 16:20:38 UTC 2009 

On Tue, 2009-06-23 at 17:17 +0200, Dominick Grift wrote:
> It is possible i think yes.

I could be wrong, but I think the original poster wanted a way he could
switch to another user's security context in its entirety using su or
sudo.  Which today we do not support.

The original (and current) view is that the SELinux user field should
only get set when a session is created, and only role, type, and level
can change within a session and only then if within the authorized roles
and levels for the user.  That bounds access escalation within a login
session.  su doesn't affect the SELinux security context, and
newrole/sudo are limited to changing role, type, or level.

In early Fedora and RHEL 4, there was support for switching the entire
security context upon su, but that was removed.  To re-instate it, you
would need to do two things:
1) Add the necessary policy rules to allow su to switch the entire
context.  Look at the rules under an ifdef distro_rhel4 in su.if in the
refpolicy for example.  You could add those as a local policy module
rather than rebuilding the base policy.
2) Add pam_selinux entries to /etc/pam.d/su.  Look in /etc/pam.d/login
for an example of how to do so.

And I can't guarantee it will still work, as no one uses it that way
anymore.

> As far as i know there are two requirements (example unconfined_r to
> confined_r)
> 
> 1. Your SELinux User must be mapped to both roles.
> semanage user -a -L s0 -r s0-s0 -R "unconfined_r confined_r" -P user
> special_u
> 
> 2. Your source role must have access to your target role
> allow unconfined_r confined_r;
> 
> (also make default context in /etc/selinux/targeted/contexts/users for
> special_u)
> 
> The reason that this is supported by default is because it does not make
> sense to transition from a unconfined domain to a confined domain. It
> defeats the purpose of the unconfined domain.
> 
> Unconfined environments are used by processes that are exempted from
> much of the policy enforcement.
> 
> In rare cases unconfined domain transition to restricted domains. For
> example: one can toggle a boolean to force unconfined_t to transition to
> nsplugin_t when the process runs nsplugin. 
> 
> 
> On Tue, 2009-06-23 at 15:58 +0100, Mohamed Aburowais wrote:
> > Hello, 
> > I've a requirement to use a system as a root, but I need to move so
> > offen to other users and be able to move to their default SELinux user
> > and roles.
> > As it appears to be, it is no a common thing to do, but is it possible
> > without implementing a new policy?
> > 
> > Regards
> > 
> > 
> > ______________________________________________________________________
> > Beyond Hotmail - see what else you can do with Windows Live. Find out
> > more.
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list