I have seen a lot of sudo rules that were badly written and allowed some sort of privilege escalation, and I was wondering if SELinux could be leveraged to prevent that. Here is an example:
I am assuming I have a confined user named “confined”, that is able to elevate privileges and gain root access.
To give a practical example:
useradd confined -Z staff_u echo 'confined ALL = (ALL) NOPASSWD: /bin/cat' > /etc/sudoers.d/confined
we authorize our public key, log in as “confined” user, and we can verify that SELinux works great:
# case1: [confined@raw ~]$ sudo cat /etc/shadow cat: /etc/shadow: Permission denied # case2: [confined@raw ~]$ sudo cat /root/.bash_history cat: /root/.bash_history: Permission denied # case3: [confined@raw ~]$ sudo cat /home/cloud-user/.ssh/id_rsa cat: /home/cloud-user/.ssh/id_rsa: Permission denied
however it’s still possible to access the
# case4: [confined@raw ~]$ sudo cat /root/.ssh/id_rsa | head -1 -----BEGIN OPENSSH PRIVATE KEY----- # case5: [confined@raw ~]$ sudo -u cloud-user cat /home/cloud-user/.ssh/id_rsa | head -1 -----BEGIN OPENSSH PRIVATE KEY-----
it is possible because while
/root has label
/root/.ssh is labelled with
staff_u can access. Also if confined can really elevate privileges to root, it can also change user and read other users data as well.
It seems that it is the kind of threats that SELinux is made to help defend against, so I was wondering if anyone had any insight on possible ways to configure that better. Thanks!
case1 and 3: permission denied because of missing dac_override and dac_read_search capabilities
case2: denied because staff_u cannot read files labelled admin_home_t
case4 and 5: are allowed as staff_u can read files labelled ssh_home_t and there is no extra capability needed.
So SELinux is just working as configured, and is not really useful for my usecase, so confining the users in the hope of reducing the exposure of badly written sudo rules does not bring much.
EDIT2: in fact it is completely useless as I can also run
#case6: sudo -r unconfined_r cat /etc/shadow