su or sudo from unconfined user to confined user

Dominick Grift domg472 at gmail.com
Tue Jun 23 17:57:56 UTC 2009 

On Tue, 2009-06-23 at 17:54 +0100, Mohamed Aburowais wrote:
> This seems to be a bit complicated.
> As a start I'm trying to create new role and new types, I want the new
> role to be accessed by unconfined_r, having problem since my last
> email:
> Compiling targeted new module
> /usr/bin/checkmodule:  loading policy configuration from tmp/new.tmp
> new.te":6:ERROR 'unknown role unconfined_r' at token ';' on line 3189:
> allow unconfined_r new_r; 
> role new_r types example_t;
> /usr/bin/checkmodule:  error(s) encountered while parsing
> configuration
> make: *** [tmp/new.mod] Error 1
> 
> the file used: new.te
> policy_module(new, 0.0.1)
> 
> role new_r;
> type example_t;
> role new_r types example_t;
> allow unconfined_r new_r; 
>  (both allow or role causing the same problem).

Looks like you must require unconfined_r:

require { role unconfined_r; }

> 
> 
> > Subject: Re: su or sudo from unconfined user to confined user
> > From: sds at tycho.nsa.gov
> > To: domg472 at gmail.com
> > CC: mrowais at hotmail.com; fedora-selinux-list at redhat.com
> > Date: Tue, 23 Jun 2009 12:20:38 -0400
> > 
> > On Tue, 2009-06-23 at 17:17 +0200, Dominick Grift wrote:
> > > It is possible i think yes.
> > 
> > I could be wrong, but I think the original poster wanted a way he
> could
> > switch to another user's security context in its entirety using su
> or
> > sudo. Which today we do not support.
> > 
> > The original (and current) view is that the SELinux user field
> should
> > only get set when a session is created, and only role, type, and
> level
> > can change within a session and only then if within the authorized
> roles
> > and levels for the user. That bounds access escalation within a
> login
> > session. su doesn't affect the SELinux security context, and
> > newrole/sudo are limited to changing role, type, or level.
> > 
> > In early Fedora and RHEL 4, there was support for switching the
> entire
> > security context upon su, but that was removed. To re-instate it,
> you
> > would need to do two things:
> > 1) Add the necessary policy rules to allow su to switch the entire
> > context. Look at the rules under an ifdef distro_rhel4 in su.if in
> the
> > refpolicy for example. You could add those as a local policy module
> > rather than rebuilding the base policy.
> > 2) Add pam_selinux entries to /etc/pam.d/su. Look
> in /etc/pam.d/login
> > for an example of how to do so.
> > 
> > And I can't guarantee it will still work, as no one uses it that way
> > anymore.
> > 
> > > As far as i know there are two requirements (example unconfined_r
> to
> > > confined_r)
> > > 
> > > 1. Your SELinux User must be mapped to both roles.
> > > semanage user -a -L s0 -r s0-s0 -R "unconfined_r confined_r" -P
> user
> > > special_u
> > > 
> > > 2. Your source role must have access to your target role
> > > allow unconfined_r confined_r;
> > > 
> > > (also make default context in /etc/selinux/targeted/contexts/users
> for
> > > special_u)
> > > 
> > > The reason that this is supported by default is because it does
> not make
> > > sense to transition from a unconfined domain to a confined domain.
> It
> > > defeats the purpose of the unconfined domain.
> > > 
> > > Unconfined environments are used by processes that are exempted
> from
> > > much of the policy enforcement.
> > > 
> > > In rare cases unconfined domain transition to restricted domains.
> For
> > > example: one can toggle a boolean to force unconfined_t to
> transition to
> > > nsplugin_t when the process runs nsplugin. 
> > > 
> > > 
> > > On Tue, 2009-06-23 at 15:58 +0100, Mohamed Aburowais wrote:
> > > > Hello, 
> > > > I've a requirement to use a system as a root, but I need to move
> so
> > > > offen to other users and be able to move to their default
> SELinux user
> > > > and roles.
> > > > As it appears to be, it is no a common thing to do, but is it
> possible
> > > > without implementing a new policy?
> > > > 
> > > > Regards
> > > > 
> > > > 
> > > >
> ______________________________________________________________________
> > > > Beyond Hotmail - see what else you can do with Windows Live.
> Find out
> > > > more.
> > > > --
> > > > fedora-selinux-list mailing list
> > > > fedora-selinux-list at redhat.com
> > > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list at redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > -- 
> > Stephen Smalley
> > National Security Agency
> > 
> 
> 
> ______________________________________________________________________
> View your Twitter and Flickr updates from one place – Learn more!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090623/9080cb90/attachment.sig>

More information about the fedora-selinux-list mailing list