su or sudo from unconfined user to confined user
sds at tycho.nsa.gov
Tue Jun 23 17:05:51 UTC 2009
On Tue, 2009-06-23 at 12:20 -0400, Stephen Smalley wrote:
> On Tue, 2009-06-23 at 17:17 +0200, Dominick Grift wrote:
> > It is possible i think yes.
> I could be wrong, but I think the original poster wanted a way he could
> switch to another user's security context in its entirety using su or
> sudo. Which today we do not support.
> The original (and current) view is that the SELinux user field should
> only get set when a session is created, and only role, type, and level
> can change within a session and only then if within the authorized roles
> and levels for the user. That bounds access escalation within a login
> session. su doesn't affect the SELinux security context, and
> newrole/sudo are limited to changing role, type, or level.
> In early Fedora and RHEL 4, there was support for switching the entire
> security context upon su, but that was removed. To re-instate it, you
> would need to do two things:
> 1) Add the necessary policy rules to allow su to switch the entire
> context. Look at the rules under an ifdef distro_rhel4 in su.if in the
> refpolicy for example. You could add those as a local policy module
> rather than rebuilding the base policy.
> 2) Add pam_selinux entries to /etc/pam.d/su. Look in /etc/pam.d/login
> for an example of how to do so.
> And I can't guarantee it will still work, as no one uses it that way
Oh, but I forgot that he is starting from unconfined_t, so it isn't
quite that complicated, as su doesn't even run in its own domain when
called by unconfined_t.
This worked for me:
# vi foo.te
allow unconfined_t user_t:process transition;
allow unconfined_r user_r;
# make -f /usr/share/selinux/devel/Makefile foo.pp
# semodule -i foo.pp
# runcon user_u:user_r:user_t:s0 /bin/bash
# id -Z
So you could use runcon to switch contexts (since you are starting from
unconfined_t), and then use su to switch Linux uid.
National Security Agency
More information about the fedora-selinux-list