Linux – How to transition into another domain when invoking sudo

selinuxsudo

I have a daemon (collectd) that executes a script for data collection (via smartctl).

The exec-plugin of collectd mandates that external scripts are executed under a user != root.

The plan is to set it up like this:

allow collectd to change the user and perhaps execute the script (via SELinux)
create a system user X for the task at hand
configure sudo such that X is allowed to execute smartctl
configure SELinux such that a) sudo transitions to a (say) unconfined domain b) the setuid to user X (or the execution of the script) transitions to an unconfined domain

I've come up with the last step – because otherwise there is no transition, and I have to allow collectd all the smartctl related low-level permissions (e.g. sys_rawio, ioctl, execute_no_trans …) – which I want to avoid.

Sudo seems to provide SELinux related attributes, e.g. one can put into the sudoer line something like:

TYPE=unconfined_t ROLE=unconfined_r

But then sudo complains:

sudo: unable to determine enforcing mode.: Permission denied
sudo: unable to execute /usr/sbin/smartctl: Permission denied

How are the TYPE/ROLE supposed to work with sudo (under CentOS 7)?

What about route b) – how to configure this with a custom SELinux policy file?

Best Answer

You can specify a transition in a custom policy file (.te) like this:

module collectdlocalexec 1.0;

require {
        type collectd_t;
        type user_home_t;
        type unconfined_t;
        type shell_exec_t;
        class capability {setgid setuid };
        class file { execute read open };
        class process transition;
}

allow collectd_t self:capability { setgid setuid };
allow collectd_t user_home_t:file { execute read open };
allow collectd_t shell_exec_t:file execute;
allow collectd_t unconfined_t:process transition;

type_transition collectd_t user_home_t:process unconfined_t;

Assuming that the collection script is located under a user's home directory (and that is labeled with user_home_t).

Related Solutions

Linux – Wrong role and type on login

As this is a really good question, and it was of interest for me I did some searches which ended up being not very helpful. Finally I reached out to #selinux on Freenode IRC, and asked how the default selinux role is selected. Luckily the user grift could provide the missing pieces of information to answer your question.

The main component for setting the selinux context is pam_selinux.so which is responsible for setting up the session. The pam module has various configuration options, and can also interactively ask the user for the desired context. In case there is no information during the login, it falls back to use information stored in /etc/selinux/$TYPE/contexts/user/$USERID if not defined, it uses the __default__ context set in contexts/default_contexts.

root@u1604-cnt-host:/etc/pam.d# grep selinux *
lightdm:session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
lightdm:session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
lightdm-autologin:session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
lightdm-autologin:session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
lightdm-greeter:session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
lightdm-greeter:session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
login:session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
login:session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
sshd:session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
sshd:session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
systemd-user:session  required pam_selinux.so close
systemd-user:session  required pam_selinux.so nottys open
root@u1604-cnt-host:/etc/pam.d#

As lightdm uses the same pam_selinux.so calls as login or sshd this should not be the source of the problem.

I've shortly tried to get the desired change working in Ubuntu, but had the impression that the selinux policy was messed up at process level. So I've done some tests on Fedora:

[root@workbench users]# cat /etc/selinux/targeted/contexts/users/staff_u
system_r:local_login_t:s0       guest_r:guest_t:s0 staff_r:staff_t:s0
system_r:remote_login_t:s0      staff_r:staff_t:s0
system_r:sshd_t:s0              guest_r:guest_t:s0 staff_r:staff_t:s0
%<--- snipp ---%<

switching system_r:sshd_t:s0 to guest_r:guest_t:s0 workes fine, the selinux user must have the role assigned in order to work. The sshd process is running under the system_r:sshd_t domain. When trying to switch the default context for staff_u to sysadm_r:sysadm_t|system_r:system_r the login falls back to staff_r:staff_t:s0 when just replacing the guest_r:guest_t part. This is related to the policy for system_r:sshd_t that does not allow a context switch to system_r or sysadm_t.

Setting a non-working combination leads to unconfined_r:unconfined_t which is the default type on Fedora targeted, as default_contexts contains user_r:user_t for system_r:sshd_t but the selinux user had no access to the user_r role during the test.

Some more details on the topic:

https://selinuxproject.org/page/PolicyConfigurationFiles#contexts.2Fusers.2F.5Bseuser_id.5D_File

https://selinuxproject.org/page/RefpolicyBasicRoleCreation#Default_Contexts

Best Answer

Related Solutions

Linux – Wrong role and type on login

Related Question