On Tue, 2009-06-23 at 12:20 -0400, Stephen Smalley wrote:
On Tue, 2009-06-23 at 17:17 +0200, Dominick Grift wrote:
> It is possible i think yes.
I could be wrong, but I think the original poster wanted a way he could
switch to another user's security context in its entirety using su or
sudo. Which today we do not support.
The original (and current) view is that the SELinux user field should
only get set when a session is created, and only role, type, and level
can change within a session and only then if within the authorized roles
and levels for the user. That bounds access escalation within a login
session. su doesn't affect the SELinux security context, and
newrole/sudo are limited to changing role, type, or level.
In early Fedora and RHEL 4, there was support for switching the entire
security context upon su, but that was removed. To re-instate it, you
would need to do two things:
1) Add the necessary policy rules to allow su to switch the entire
context. Look at the rules under an ifdef distro_rhel4 in su.if in the
refpolicy for example. You could add those as a local policy module
rather than rebuilding the base policy.
2) Add pam_selinux entries to /etc/pam.d/su. Look in /etc/pam.d/login
for an example of how to do so.
And I can't guarantee it will still work, as no one uses it that way
anymore.
Oh, but I forgot that he is starting from unconfined_t, so it isn't
quite that complicated, as su doesn't even run in its own domain when
called by unconfined_t.
This worked for me:
# vi foo.te
policy_module(foo, 1.0)
require {
type unconfined_t;
type user_t;
role unconfined_r;
role user_r;
}
allow unconfined_t user_t:process transition;
allow unconfined_r user_r;
# make -f /usr/share/selinux/devel/Makefile foo.pp
# semodule -i foo.pp
# runcon user_u:user_r:user_t:s0 /bin/bash
# id -Z
user_u:user_r:user_t:s0
So you could use runcon to switch contexts (since you are starting from
unconfined_t), and then use su to switch Linux uid.
--
Stephen Smalley
National Security Agency