su or sudo from unconfined user to confined user

Mohamed Aburowais mrowais at hotmail.com
Tue Jun 23 16:54:06 UTC 2009 

This seems to be a bit complicated.
As a start I'm trying to create new role and new types, I want the new role to be accessed by unconfined_r, having problem since my last email:
Compiling targeted new module
/usr/bin/checkmodule:  loading policy configuration from tmp/new.tmp
new.te":6:ERROR 'unknown role unconfined_r' at token ';' on line 3189:
allow unconfined_r new_r; 
role new_r types example_t;
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/new.mod] Error 1

the file used: new.te
policy_module(new, 0.0.1)

role new_r;
type example_t;
role new_r types example_t;
allow unconfined_r new_r; 
 (both allow or role causing the same problem).



> Subject: Re: su or sudo from unconfined user to confined user
> From: sds at tycho.nsa.gov
> To: domg472 at gmail.com
> CC: mrowais at hotmail.com; fedora-selinux-list at redhat.com
> Date: Tue, 23 Jun 2009 12:20:38 -0400
> 
> On Tue, 2009-06-23 at 17:17 +0200, Dominick Grift wrote:
> > It is possible i think yes.
> 
> I could be wrong, but I think the original poster wanted a way he could
> switch to another user's security context in its entirety using su or
> sudo.  Which today we do not support.
> 
> The original (and current) view is that the SELinux user field should
> only get set when a session is created, and only role, type, and level
> can change within a session and only then if within the authorized roles
> and levels for the user.  That bounds access escalation within a login
> session.  su doesn't affect the SELinux security context, and
> newrole/sudo are limited to changing role, type, or level.
> 
> In early Fedora and RHEL 4, there was support for switching the entire
> security context upon su, but that was removed.  To re-instate it, you
> would need to do two things:
> 1) Add the necessary policy rules to allow su to switch the entire
> context.  Look at the rules under an ifdef distro_rhel4 in su.if in the
> refpolicy for example.  You could add those as a local policy module
> rather than rebuilding the base policy.
> 2) Add pam_selinux entries to /etc/pam.d/su.  Look in /etc/pam.d/login
> for an example of how to do so.
> 
> And I can't guarantee it will still work, as no one uses it that way
> anymore.
> 
> > As far as i know there are two requirements (example unconfined_r to
> > confined_r)
> > 
> > 1. Your SELinux User must be mapped to both roles.
> > semanage user -a -L s0 -r s0-s0 -R "unconfined_r confined_r" -P user
> > special_u
> > 
> > 2. Your source role must have access to your target role
> > allow unconfined_r confined_r;
> > 
> > (also make default context in /etc/selinux/targeted/contexts/users for
> > special_u)
> > 
> > The reason that this is supported by default is because it does not make
> > sense to transition from a unconfined domain to a confined domain. It
> > defeats the purpose of the unconfined domain.
> > 
> > Unconfined environments are used by processes that are exempted from
> > much of the policy enforcement.
> > 
> > In rare cases unconfined domain transition to restricted domains. For
> > example: one can toggle a boolean to force unconfined_t to transition to
> > nsplugin_t when the process runs nsplugin. 
> > 
> > 
> > On Tue, 2009-06-23 at 15:58 +0100, Mohamed Aburowais wrote:
> > > Hello, 
> > > I've a requirement to use a system as a root, but I need to move so
> > > offen to other users and be able to move to their default SELinux user
> > > and roles.
> > > As it appears to be, it is no a common thing to do, but is it possible
> > > without implementing a new policy?
> > > 
> > > Regards
> > > 
> > > 
> > > ______________________________________________________________________
> > > Beyond Hotmail - see what else you can do with Windows Live. Find out
> > > more.
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list at redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> -- 
> Stephen Smalley
> National Security Agency
> 

_________________________________________________________________
Share your photos with Windows Live Photos – Free.
http://clk.atdmt.com/UKM/go/134665338/direct/01/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090623/634c57d7/attachment.htm>

More information about the fedora-selinux-list mailing list