Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp3064723ybl;
        Sun, 1 Sep 2019 05:48:35 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxCjd5wUm2mGE3S9D3UszIvyuQMmYBheApMnFfnW/g2iMHxOl4v3zD/kzIh6UcdILB4BYon
X-Received: by 2002:a63:3c5:: with SMTP id 188mr20479063pgd.394.1567342115762;
        Sun, 01 Sep 2019 05:48:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1567342115; cv=none;
        d=google.com; s=arc-20160816;
        b=nx8kZVA0D8p1Qnryb0RSnE/YlK3vpLqBuI2Aqk7efuLQPlJJ04nTzBotA/gZQ3vdLf
         XuKFQuOEe+KQHVkiljtmGtVr6MqvkcLIhdriKXyjxnUMvUATtrdLP/nNSn/j/2I14cjE
         PdQrQmlVwvqQCTAjWBx5UZGHT6MsaAuR/zleo7emKN3cYuQ2ftgw/fVVt10R0EuAD3s8
         5J0wP3WNvcLiRPr4bepNSKiM654f27CAn77ScchJ/Jee09cmI7vHa09LJ2FSOxTOtXOG
         jEEd65qQFtVAAA+J8jSmHSDO2py7aUn6nC54WOVhapJMQwvTqLTOsjDRoDkgm8qovLwd
         LAkA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=9ufGOGNkk1BpPppTORtm72OsHW7l+T7RVAnYeWd1CNg=;
        b=GsmhnKmW2kjOmoY559YJrajWYoSTIL+90r5XQyTtK7AcdUqYbI3540Ifci8kpy3bvX
         P4wnNfgRZJ8skiG9EXBYaD0E5+Kjn5WxSxavf4JpcWwwPfnm8K1N0iaBp5qioaykF67F
         aZhUhKkkpOyJz1ji1V/kcOZwWb0OPVGBWN0ELzVsJ/vGT4yUnbn2ZNQDByb/44KJN6Tz
         WWdWbHJ/VvoAxWC2V75YMmXrkx0zL+F91Qim5qHUZRXF4XeCjw2rEbfeICiG8LsNcocd
         vHjZOEWGkWnPcMgq3sXrGRsHOmTU2eDCfiemeRp+mrgtuH5ovKQW7K/TrlRfHdpvH6k5
         HbJg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=ocqZwTlE;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id r193si7624185pfr.27.2019.09.01.05.48.31;
        Sun, 01 Sep 2019 05:48:35 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=ocqZwTlE;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728722AbfIAMqv (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 11 others); Sun, 1 Sep 2019 08:46:51 -0400
Received: from mail-ed1-f68.google.com ([209.85.208.68]:46429 "EHLO
        mail-ed1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728639AbfIAMqv (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Sun, 1 Sep 2019 08:46:51 -0400
Received: by mail-ed1-f68.google.com with SMTP id z51so13272120edz.13
        for <selinux-refpolicy@vger.kernel.org>; Sun, 01 Sep 2019 05:46:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=9ufGOGNkk1BpPppTORtm72OsHW7l+T7RVAnYeWd1CNg=;
        b=ocqZwTlE2y/nNCGRKp/Qy2tpyczeKQvQtWkn+SdRGncfT0LK0xxuHQKSdrZW++p82D
         70ny+7rzy999gSJXN58mSa+XwKZrHaKE9/CCCGkhWVmXIbYWOdzMBsQ3rWHzT0aeaZrX
         oNuRH0/HOhmWAFD+EEN4E+iNxDJID1cS6aTaTx967rtGEeF8KdKEbM4/VvTjWw2G/hMW
         AixcVA/llO/syB+YS8iCgQMRgsPs49w6F7v3o2aUdMleip0E9+KrIdKNG/Cmb4lYjkSh
         8ZgqeNY90F1E0PI2J9c1ns/donwJC/Wog0coOHNzvsNVFHp8ZTrbFEqwdvFZqB4SXPrn
         0W+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=9ufGOGNkk1BpPppTORtm72OsHW7l+T7RVAnYeWd1CNg=;
        b=glOCHOE/JM2zaIjqruPrVLaBqN9qTXOvkBlGJhLdlEmeCrkNRJaMAGJRWG6WSrBd9n
         /AiKULWaGqsUTlp9bwMJlV5DhuQMKOIaXnEMB0rYyn7MKi5NdFqhkwp4TwPvifKS9vAC
         QvbTMnelU1vcH0I94XW+xjYEJIjiP0fDX/tcfTq84tCEc9IkD7vFZwvc0x1yAtphGZao
         FiYIhuFDUaCop5BCcEqI3TmALUpC+xtTk3FFoJEzICRlzs4Pc4HphghVcOpWnTQHmP8w
         3arkCaqDfM/Cs+k9g2TZ7NS8uWzNO+clcGULGZOb4I6DGb3W4dzxniGOxD7W72GoRjiR
         u6xw==
X-Gm-Message-State: APjAAAX4OUPTQu2KU+O3Jxhw7fZuhVC3vVGUQFns1LBZ+6FuQas5rIT8
        6IcSfx7mf2LDihVmYsUtrO46G03k
X-Received: by 2002:a17:906:11d6:: with SMTP id o22mr20635181eja.60.1567342009548;
        Sun, 01 Sep 2019 05:46:49 -0700 (PDT)
Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438])
        by smtp.gmail.com with ESMTPSA id gs21sm1577128ejb.40.2019.09.01.05.46.48
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 01 Sep 2019 05:46:48 -0700 (PDT)
From:   Dominick Grift <dac.override@gmail.com>
To:     selinux-refpolicy@vger.kernel.org
Cc:     Dominick Grift <dac.override@gmail.com>
Subject: [PATCH] Remove shell automatic domain transitions to unconfined_t from various pam login programs
Date:   Sun,  1 Sep 2019 14:46:20 +0200
Message-Id: <20190901124620.375409-1-dac.override@gmail.com>
X-Mailer: git-send-email 2.23.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

I think these may have been adopted from the old Red Hat targeted policy (that model only had unconfined users)

Some aspect to note:

1. The ssh_sysadm_login boolean now applies to unconfined_t as well
2. remotelogin only allows unpriv logins

The rshd module also calls unconfined_shell_domtrans() but I ignored that one because that policy currently does not have support for manual transitions with pam_selinux.

Signed-off-by: Dominick Grift <dac.override@gmail.com>
---
 policy/modules/services/remotelogin.te | 4 ----
 policy/modules/services/ssh.te         | 4 ----
 policy/modules/system/locallogin.te    | 4 ----
 3 files changed, 12 deletions(-)

diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te
index bc2292e3..c7c9c564 100644
--- a/policy/modules/services/remotelogin.te
+++ b/policy/modules/services/remotelogin.te
@@ -91,10 +91,6 @@ optional_policy(`
 	telnet_use_ptys(remote_login_t)
 ')
 
-optional_policy(`
-	unconfined_shell_domtrans(remote_login_t)
-')
-
 optional_policy(`
 	usermanage_read_crack_db(remote_login_t)
 ')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 4e75b6e1..a99ad912 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -328,10 +328,6 @@ optional_policy(`
 	systemd_dbus_chat_logind(sshd_t)
 ')
 
-optional_policy(`
-	unconfined_shell_domtrans(sshd_t)
-')
-
 optional_policy(`
 	xserver_domtrans_xauth(sshd_t)
 	xserver_link_xdm_keys(sshd_t)
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index a56f3d1f..632d2542 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -200,10 +200,6 @@ optional_policy(`
 	systemd_write_inherited_logind_sessions_pipes(local_login_t)
 ')
 
-optional_policy(`
-	unconfined_shell_domtrans(local_login_t)
-')
-
 optional_policy(`
 	usermanage_read_crack_db(local_login_t)
 ')
-- 
2.23.0