su or sudo from unconfined user to confined user

Stephen Smalley sds at
Tue Jun 23 17:05:51 UTC 2009

On Tue, 2009-06-23 at 12:20 -0400, Stephen Smalley wrote:
> On Tue, 2009-06-23 at 17:17 +0200, Dominick Grift wrote:
> > It is possible i think yes.
> I could be wrong, but I think the original poster wanted a way he could
> switch to another user's security context in its entirety using su or
> sudo.  Which today we do not support.
> The original (and current) view is that the SELinux user field should
> only get set when a session is created, and only role, type, and level
> can change within a session and only then if within the authorized roles
> and levels for the user.  That bounds access escalation within a login
> session.  su doesn't affect the SELinux security context, and
> newrole/sudo are limited to changing role, type, or level.
> In early Fedora and RHEL 4, there was support for switching the entire
> security context upon su, but that was removed.  To re-instate it, you
> would need to do two things:
> 1) Add the necessary policy rules to allow su to switch the entire
> context.  Look at the rules under an ifdef distro_rhel4 in su.if in the
> refpolicy for example.  You could add those as a local policy module
> rather than rebuilding the base policy.
> 2) Add pam_selinux entries to /etc/pam.d/su.  Look in /etc/pam.d/login
> for an example of how to do so.
> And I can't guarantee it will still work, as no one uses it that way
> anymore.

Oh, but I forgot that he is starting from unconfined_t, so it isn't
quite that complicated, as su doesn't even run in its own domain when
called by unconfined_t.

This worked for me:
# vi foo.te
policy_module(foo, 1.0)

require {
	type unconfined_t;
	type user_t;
	role unconfined_r;
	role user_r;

allow unconfined_t user_t:process transition;
allow unconfined_r user_r;
# make -f /usr/share/selinux/devel/Makefile foo.pp
# semodule -i foo.pp
# runcon user_u:user_r:user_t:s0 /bin/bash
# id -Z

So you could use runcon to switch contexts (since you are starting from
unconfined_t), and then use su to switch Linux uid.

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list