Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DAC bypass after split security task to secadm user #837

Open
uudiin opened this issue Nov 22, 2024 · 4 comments
Open

DAC bypass after split security task to secadm user #837

uudiin opened this issue Nov 22, 2024 · 4 comments

Comments

@uudiin
Copy link

uudiin commented Nov 22, 2024

My goal is to share the management of security policies and selinux-related operation permissions with the secadm user. I created a selinux user named secadm_u and a normal user secadm with the following command:

semanage user --add --roles secadm_r secadm_u
useradd -m -U -Z secadm_u secadm

Because under DAC, secadm is a general user, which causes operations like setenforce to fail, because the interface files under /sys/fs/selinux require the write permission of the owner root, for example, the disable file can only be written by the owner root,

# ll /sys/fs/selinux/disable
--w-------. 1 root root 0 Jan  1  1970 /sys/fs/selinux/disable

and the newly created general user cannot pass the DAC check. Is there a more formal solution like this, maybe it only be solved by modifying the owner of /sys/fs/selinux ?
@uudiin
Copy link
Author

uudiin commented Nov 22, 2024

It looks like the dac_override is not working, or am I missing something ?

@pebenito
Copy link
Member

/sys/fs/selinux/disable isn't a good example, as it won't work if a SELinux policy is loaded. In fact, I'm surprised it exists once the policy is loaded (@pcmoore ?)

secadm_t has dac_override, and fowner, so I wouldn't expect there to be any DAC issue here. You could do a basic check of your capability set, in case you don't have the capabilities you think you have:

$ grep Cap /proc/self/status
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000

$ sudo grep Cap /proc/self/status
CapInh: 0000000000000000
CapPrm: 000001ffffffffff
CapEff: 000001ffffffffff
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000

@dburgener
Copy link
Member

Probably worth pointing out that dac_override doesn't let a user without DAC privileges bypass DAC checks. It's for a privileged user (eg root) to use their root powers to bypass DAC checks. (SELinux always adds more restrictions on top of DAC, not allowing any overrides or bypasses of DAC by itself).

@uudiin
Copy link
Author

uudiin commented Nov 24, 2024
edited
Loading

@pebenito As you said, this general user secadm doesn't have the corresponding capability, I added cap_dac_override capability for secadm via pam_cap.so from libcap, but this is only an inherited capability, don't know how to add a effective capability set for this user?

# cat /proc/5023/status | grep 'Cap'
CapInh:	0000000000000006
CapPrm:	0000000000000000
CapEff:	0000000000000000
CapBnd:	000001ffffffffff
CapAmb:	0000000000000000

It's possible to add a capability set to all executables used by that user as down below for cat, then general secadm users can read files that were originally unreadable through cat, such as /etc/shadow, but it doesn't seem like a good idea.

setcap cap_dac_override=ep /usr/bin/cat

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pebenito @uudiin @dburgener