sudo avc denies: was Re: Upgrading to policy-strict RPM's
Stephen Smalley
sds at epoch.ncsc.mil
Mon Jul 12 12:12:54 UTC 2004
On Fri, 2004-07-09 at 13:28, Erik Fichtner wrote:
> That reminds me.... I had this same problem, and I just worked around
> it by allowing the avc denies for sudo, and now sudo works as I
> expected it to.
The original poster showed a denial of executing sesh from user_sudo_t
without performing a domain transition. That is definitely not what you
want. sudo should transition to a user domain upon executing sesh, most
typically to sysadm_r:sysadm_t since it is typically used to assume
admin privileges for a particular command. Further, as the caller is
typically not directly authorized for an administrative shell, you need
sudo to transition to a user identity (e.g. root) that is authorized for
the administrative role.
> What IS unexpected is that su changes the users' context from "user_u"
> (or "emf" or whatever username, naturally..) to "root"... Thus, we lose
> the context audit trail of who was puttering around as root.
>
> Back in the old 2.4 (pre-xattr) SELinux, su never did this (it only
> changed uid to 0 and left the context alone), and from my casual reading
> of the flask papers; this was on purpose. (ie: it was my understanding
> that the USER would never ever change, but the ROLE and TYPE could)
>
> So what gives?
As part of the Fedora SELinux integration, RedHat created a pam_selinux
module and changed /etc/pam.d/su to invoke it, so that su performs
context transitions, including changing the user identity. Note that
the user_canbe_sysadm tunable allows you to disable the ability of
user_r:user_t to reach sysadm_r:sysadm_t via su, so that only users
authorized for staff_r can do so. That reduces your exposure. See the
following for further discussion:
http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/index.html#id3004527
http://marc.theaimsgroup.com/?l=selinux&m=107757717110966&w=2
And an argument against have su perform context transitions:
http://marc.theaimsgroup.com/?l=selinux&m=107765457418746&w=2
Note that the use of pam_selinux by su has also led to issues with
running daemons in pseudo user identities via su, as discussed
previously on this list.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the selinux
mailing list