-
Notifications
You must be signed in to change notification settings - Fork 163
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Removed adding to attribute unpriv_userdomain from userdom_unpriv_type template #427
Conversation
I can confirm the @Koncpa, did you create a build just to confirm unconfined_u user work as expected, and the attribute is not set by some other call? |
Let's properly test this before we merge it, because we're removing rules this could cause troubles. |
…e template When is secure_mode boolean enabled the attribute unpriv_userdomain allow transition only between unprivileged users. But one member this attribute was unconfined_t domain, which had allow privilege operations. Solution was that from userdom_unpriv_type template was remove adding domains to attribute unpriv_userdomain. This template is used only for unconfined_t, so affected only uncofined domain. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1840851
Removing attribute in previous commit affected connecting via ssh to unconfined user. Missed dyntransition from sshd domain to unconfined domain. Added ssh_dyntransition_to() interface.
45a2354
to
c3f194f
Compare
@zpytela, @wrabcak I tested this PR and I found one issue. When I removed domain from this attribute I cannot connect to unconfined user via ssh, because from sshd_t missed dyntransition to unconfined_t. So I add interface ssh_dyntransition_to(), which solved this issue. Also I tried solution from different point of view, where I made neverallow rule which deny transition from newrole_t to unconfined_t, but in building policy appeared issues with violated rules, so I finally choosed the first option. |
The transition from
That is how far I understand what sshd does with selinux and what is being discussed in this issue. But as long as this works, we should be fine from ssh point of view. |
@wrabcak Also when I looked to the policy before the fix I found same rule with one difference. As you can see in the rule is the attribute where the member was unconfined_t domain before removed.
Policy with patch:
Thanks @Jakuje |
@Koncpa, I see a lot of references to unpriv_userdomain: have you tried some other common scenarios for unconfined_u, like logging in in xdm or console, start some service, execute some commands, su/sudo, etc.? |
@zpytela Yes, I tried a some other common scenarios for this type of user. I also reboot this machine with this new policy and I didn't found any issues with removing unconfined_t from unpriv_userdomain. |
I specific tried to start|restart|stop httpd.service, logging user in console, executing basic command as ls, cd, cat, pwd and etc. Also I tested privileged command liked chown, chmod. |
Thank you, merging then. |
When is secure_mode boolean enabled the attribute unpriv_userdomain allow transition
only between unprivileged users. But one member this attribute was unconfined_t
domain, which had allow privilege operations. Solution was that from userdom_unpriv_type
template was remove adding domains to attribute unpriv_userdomain. This template is used only
for unconfined_t, so affected only uncofined domain.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1840851