sudo avc denies: was Re: Upgrading to policy-strict RPM's

Mon Jul 12 13:14:20 UTC 2004

On Mon, Jul 12, 2004 at 08:12:54AM -0400, Stephen Smalley wrote:
> The original poster showed a denial of executing sesh from user_sudo_t
> without performing a domain transition.  That is definitely not what you
> want.  sudo should transition to a user domain upon executing sesh, most
> typically to sysadm_r:sysadm_t since it is typically used to assume
> admin privileges for a particular command.  

Actually, the user should newrole to sysadm_r before they're allowed to
execute sudo/su.  Or, if you want to make life easier for the user,
sudo/su could be allowed to perform a role transition on its own, but
it should *never* change the identity.    

> Further, as the caller is
> typically not directly authorized for an administrative shell, you need
> sudo to transition to a user identity (e.g. root) that is authorized for
> the administrative role.

Nonsense.  you can allow your IDENTITIES (context users) to have the
ability to attain an administrative role which then lets them have the 
completely orthogonal USER (unix user id).  It seems that Fedora/SELinux
is attempting to entirely replace the uid/gid concept instead of
augmenting it; and in the process appears to have misplaced the
difference between uid and euid. (which is not to say that uid/euid ever
really worked right in unix)   

[ For example, the system really SHOULD know the difference between
user "emf" su'ing to user "joe" and running joe's .bashrc.  When I do 
that, I am not joe, I am merely impersonating him for some reason. ]

uid/gid isn't what's wrong with unix authentication; "root" is.
[ "root" meaning shared identities; privleged or otherwise. ]

> As part of the Fedora SELinux integration, RedHat created a pam_selinux
> module and changed /etc/pam.d/su to invoke it, so that su performs
> context transitions, including changing the user identity.  Note that
> the user_canbe_sysadm tunable allows you to disable the ability of
> user_r:user_t to reach sysadm_r:sysadm_t via su, so that only users
> authorized for staff_r can do so.  That reduces your exposure.  See the
> following for further discussion:
> 
> http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/index.html#id3004527
> http://marc.theaimsgroup.com/?l=selinux&m=107757717110966&w=2
> 
> And an argument against have su perform context transitions:
> http://marc.theaimsgroup.com/?l=selinux&m=107765457418746&w=2
> 
> Note that the use of pam_selinux by su has also led to issues with
> running daemons in pseudo user identities via su, as discussed
> previously on this list.

I find that I must agree with the dissenting viewpoint.  Changing the 
identity is a terrible idea.   Having daemons running in pseudouser 
identities could just as well be handled by having unix_uid along with an 
unprivleged user_u identity and a ${daemon}_r:${daemon}_t context.  
We don't need ${daemon}_u as well, and user_u can do far too much by 
default in FC2.

It would be really nice if this were a tunable as well, since some 
folks appear to want the identity transition, but I personally think
that the "Strict" configuration should disable ID transition.

That's all. 

-- 
Erik Fichtner; Unix Ronin