[DSE-Dev] Bug#933858: selinux-policy-default: Selinux default policy does not change context sudo and su from a system administrator (sysadm_u) user account to root

Ramón García ramon.garcia.f+debian at gmail.com
Sun Aug 4 14:33:24 BST 2019 

Package: selinux-policy-default
Version: 2:2.20190201-2
Severity: important

Dear Maintainer,

First of all, SELinux policy should be more tested. With a default
installation, even without GUI, there are too many activity blocked.

For this report, we create a system administrator user, therefore,
member of the sudoers group, and with the sysadm_u SELinux User.

useradd myname .... -Z sysadm_u

We expect that this user should be able to sudo to root, and after
that the user should be in the
SELinux context unconfied_u:unconfined_r:unconfined_t

But after sudo, the user is still in the same context. Therefore, in
enforced mode, many root commands will fail.

I had to made the following changes in my system to get sudo working

In package sudo, add to /etc/pam.d/sudo add calls to pam_selinux

--------------------------------------------------------------------------------
@@ -1,4 +1,6 @@
 #%PAM-1.0
+session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so close
+session [success=ok ignore=ignore module_unknown=ignore default=bad]
pam_selinux.so open

 @include common-auth
 @include common-accoun
---------------------------------------------------------------------------------


I also created the following SELinux module and add it to policy. The
allow lines should be added to default policy

-------------------------------------------------------------
policy_module(sysadm_custom, 1.0)

require {
        role sysadm_r;
        role unconfined_r;
        type sysadm_t;
        type sysadm_sudo_t;
        type unconfined_t;
        attribute can_change_process_identity;
}

allow sysadm_r unconfined_r;
allow sysadm_sudo_t unconfined_t:process transition;
typeattribute sysadm_sudo_t can_change_process_identity;
--------------------------------------------------------------

Rationale:
- The purpose of sysadm_u/sysadm_r is to specifiy what users are
actually system administrators and should be allowed
to sudo to root.
- when sudo is running from a user with sysadm_u, it is in the context
sysadm_u:sysadm_r:sysadm_sudo_t
- The first allow, is needed so that sudo can change the current role
from sysadm_r to unconfined_r.
- The second, so that it is posible to change from sysadm_sudo_t type
of the instance of sudo executing, to unconfined_t type of the root
user
- The third, so that this sudo instance is able to change process identity.

Similar changes should be allowed to be able to su to root

allow sysadm_su_t unconfined_t:process transition;
typeattribute sysadm_su_t can_change_process_identity;





I also made the following change to
/etc/selinux/default/contexts/default_contexts
But it is likely that it not necessary. (Also included, changes for su to root)

-----------------------------------------------------
--- /etc/selinux/default/contexts/default_contexts.old    2019-07-10
20:40:36.000000000 +0200
+++ /etc/selinux/default/contexts/default_contexts    2019-07-10
23:05:17.000000000 +0200
@@ -10,8 +10,8 @@
 staff_r:staff_su_t:s0        user_r:user_t:s0 staff_r:staff_t:s0
sysadm_r:sysadm_t:s0
 staff_r:staff_sudo_t:s0        sysadm_r:sysadm_t:s0 staff_r:staff_t:s0

-sysadm_r:sysadm_su_t:s0        user_r:user_t:s0 staff_r:staff_t:s0
sysadm_r:sysadm_t:s0
-sysadm_r:sysadm_sudo_t:s0    sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_su_t:s0        user_r:user_t:s0 staff_r:staff_t:s0
sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
+sysadm_r:sysadm_sudo_t:s0    sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0

 user_r:user_su_t:s0        user_r:user_t:s0 staff_r:staff_t:s0
sysadm_r:sysadm_t:s0
 user_r:user_sudo_t:s0        sysadm_r:sysadm_t:s0 user_r:user_t:s0
unconfined_r:unconfined_t:s0
----------------------------------------------------------------------


SELinux is rather difficult to understand and fix issues. I have some
experience with it. Please ask for help if you need.
But please test. A virtual machine with a default configuration should
be able to run with SELInux enforced and no block logged to
/var/log/audit/audit.log


-- System Information:
Debian Release: 10.0
  APT prefers stable
  APT policy: (990, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: default

Versions of packages selinux-policy-default depends on:
ii  libselinux1      2.8-1+b1
ii  libsemanage1     2.8-2
ii  libsepol1        2.8-1
ii  policycoreutils  2.8-1
ii  selinux-utils    2.8-1+b1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.8-1
ii  setools      4.2.0-1

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- Configuration Files:
/etc/selinux/default/contexts/default_contexts changed [not included]
/etc/selinux/default/contexts/users/unconfined_u changed [not included]

-- no debconf information

More information about the SELinux-devel mailing list