Bug 1220046

Summary: sudo: SELinux confined users are unable to transition to sysadm_r/t
Product: [openSUSE] openSUSE Tumbleweed Reporter: William Brown <william.brown>
Component: SecurityAssignee: Simon Lees <simonf.lees>
Status: NEW --- QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: cathy.hu, otto.hollmann
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description William Brown 2024-02-19 05:54:37 UTC 
# useradd user_staff
# semanage login --add -s staff_u -r s0 user_staff


# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          user_u               s0                   *
admin                unconfined_u         s0                   *
root                 unconfined_u         s0-s0:c0.c1023       *
user_staff           staff_u              s0                   *

Add the user to sudoers:

user_staff ALL=(ALL:ALL) TYPE=sysadm_t ROLE=sysadm_r ALL

Login:

# ssh user_staff@172.24.20.49
(user_staff@172.24.20.49) Password:
Last login: Mon Feb 19 15:37:15 AEST 2024 from 172.24.12.42 on ssh
Have a lot of fun...
user_staff@h-172-24-20-49:~> id
uid=1002(user_staff) gid=1002(user_staff) groups=1002(user_staff) context=staff_u:staff_r:staff_t:s0

user_staff@h-172-24-20-49:~> sudo -s
[sudo] password for user_staff:
sudo: unable to execute /bin/bash: No such file or directory

h-172-24-20-49:/home/admin # ausearch -ts recent | grep den
type=AVC msg=audit(1708321129.668:288): avc:  denied  { search } for  pid=2026 comm="sudo" name="logins" dev="dm-1" ino=51368770 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=system_u:object_r:selinux_login_config_t:s0 tclass=dir permissive=0


Seems to be a policy issue with staff_sudo_t transitioning via sudo to sysadm_r.
Comment 1 William Brown 2024-02-19 05:58:05 UTC 
My guess is the related policy in ./policy/modules/admin/sudo.if has a problem
Comment 2 William Brown 2024-02-19 06:02:23 UTC 
semodule -DB

type=AVC msg=audit(1708322514.806:128): avc:  denied  { noatsecure } for  pid=1799 comm="bash" scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:staff_sudo_t:s0 tclass=process permissive=1
type=AVC msg=audit(1708322514.809:129): avc:  denied  { rlimitinh } for  pid=1799 comm="sudo" scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:staff_sudo_t:s0 tclass=process permissive=1
type=AVC msg=audit(1708322514.809:130): avc:  denied  { siginh } for  pid=1799 comm="sudo" scontext=staff_u:staff_r:staff_t:s0 tcontext=staff_u:staff_r:staff_sudo_t:s0 tclass=process permissive=1
type=AVC msg=audit(1708322514.829:131): avc:  denied  { noatsecure } for  pid=1800 comm="sudo" scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:staff_r:chkpwd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1708322514.829:132): avc:  denied  { read write } for  pid=1800 comm="unix_chkpwd" path="/dev/pts/2" dev="devpts" ino=5 scontext=staff_u:staff_r:chkpwd_t:s0 tcontext=staff_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1708322514.829:133): avc:  denied  { rlimitinh } for  pid=1800 comm="unix_chkpwd" scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:staff_r:chkpwd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1708322514.829:134): avc:  denied  { siginh } for  pid=1800 comm="unix_chkpwd" scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:staff_r:chkpwd_t:s0 tclass=process permissive=1
type=AVC msg=audit(1708322514.839:138): avc:  denied  { read } for  pid=1799 comm="sudo" name="shadow" dev="dm-1" ino=257369 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
type=AVC msg=audit(1708322514.839:139): avc:  denied  { open } for  pid=1799 comm="sudo" path="/etc/shadow" dev="dm-1" ino=257369 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
type=AVC msg=audit(1708322514.839:140): avc:  denied  { getattr } for  pid=1799 comm="sudo" path="/etc/shadow" dev="dm-1" ino=257369 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
type=AVC msg=audit(1708322514.839:141): avc:  denied  { net_admin } for  pid=1799 comm="sudo" capability=12  scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:staff_r:staff_sudo_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1708322514.846:142): avc:  denied  { search } for  pid=1799 comm="sudo" name="logins" dev="dm-1" ino=51368770 scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=system_u:object_r:selinux_login_config_t:s0 tclass=dir permissive=1
Comment 3 William Brown 2024-02-19 06:03:30 UTC 
Seems to be unrelated to symlinks for /bin to /usr/bin, tried after chsh -s /usr/bin/bash and still fails.
Comment 4 William Brown 2024-02-19 06:04:43 UTC 
Curiously even in permissive mode sudo -i/-s still fails?
Comment 5 William Brown 2024-02-19 06:16:20 UTC 
Okay, I've narrowed it down to an issue in sudo. It appears if you have:

user_staff ALL=(ALL:ALL) ALL

It works

user_staff ALL=(ALL:ALL) TYPE=unconfined_t ROLE=unconfined_r ALL

Fails. Is there something missing in sudo or something?
Comment 9 Cathy Hu 2024-03-13 16:09:56 UTC 
@William

you could try to add this line to /usr/etc/sudo.conf:
Path sesh /usr/libexec/sudo/sesh


Let me know if the problem then still persists for you (it worked for me)
Comment 10 William Brown 2024-03-14 00:41:56 UTC 
(In reply to Cathy Hu from comment #9)
> @William
> 
> you could try to add this line to /usr/etc/sudo.conf:
> Path sesh /usr/libexec/sudo/sesh
> 
> 
> Let me know if the problem then still persists for you (it worked for me)

And like magic, it works

user_staff@localhost:~> id
uid=1002(user_staff) gid=1002(user_staff) groups=1002(user_staff) context=staff_u:staff_r:staff_t:s0
user_staff@localhost:~> sudo -s
[sudo] password for user_staff:
localhost:/home/user_staff # id
uid=0(root) gid=0(root) groups=0(root) context=staff_u:sysadm_r:sysadm_t:s0
localhost:/home/user_staff #

So I think we need to update that default :)