SELinuxProject / refpolicy

SELinux Reference Policy v2
https://github.com/SELinuxProject/refpolicy/wiki
GNU General Public License v2.0
309 stars 138 forks source link

DAC bypass after split security task to secadm user #837

Open uudiin opened 5 days ago

uudiin commented 5 days ago

My goal is to share the management of security policies and selinux-related operation permissions with the secadm user. I created a selinux user named secadm_u and a normal user secadm with the following command:

semanage user --add --roles secadm_r secadm_u
useradd -m -U -Z secadm_u secadm

Because under DAC, secadm is a general user, which causes operations like setenforce to fail, because the interface files under /sys/fs/selinux require the write permission of the owner root, for example, the disable file can only be written by the owner root,

# ll /sys/fs/selinux/disable
--w-------. 1 root root 0 Jan  1  1970 /sys/fs/selinux/disable

and the newly created general user cannot pass the DAC check. Is there a more formal solution like this, maybe it only be solved by modifying the owner of /sys/fs/selinux ?

uudiin commented 4 days ago

It looks like the dac_override is not working, or am I missing something ?

pebenito commented 4 days ago

/sys/fs/selinux/disable isn't a good example, as it won't work if a SELinux policy is loaded. In fact, I'm surprised it exists once the policy is loaded (@pcmoore ?)

secadm_t has dac_override, and fowner, so I wouldn't expect there to be any DAC issue here. You could do a basic check of your capability set, in case you don't have the capabilities you think you have:

$ grep Cap /proc/self/status
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000

$ sudo grep Cap /proc/self/status
CapInh: 0000000000000000
CapPrm: 000001ffffffffff
CapEff: 000001ffffffffff
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000
dburgener commented 4 days ago

Probably worth pointing out that dac_override doesn't let a user without DAC privileges bypass DAC checks. It's for a privileged user (eg root) to use their root powers to bypass DAC checks. (SELinux always adds more restrictions on top of DAC, not allowing any overrides or bypasses of DAC by itself).

uudiin commented 2 days ago

@pebenito As you said, this general user secadm doesn't have the corresponding capability, I added cap_dac_override capability for secadm via pam_cap.so from libcap, but this is only an inherited capability, don't know how to add a effective capability set for this user?

# cat /proc/5023/status | grep 'Cap'
CapInh: 0000000000000006
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000

It's possible to add a capability set to all executables used by that user as down below for cat, then general secadm users can read files that were originally unreadable through cat, such as /etc/shadow, but it doesn't seem like a good idea.

setcap cap_dac_override=ep /usr/bin/cat