From: ml_selinux-refpolicy@binary-island.eu (Matthias Dahl)
Date: Fri, 31 Jul 2015 16:47:34 +0200
Subject: [refpolicy] automatic user context switching w/ su and active UBAC
Message-ID: <2415278.FSr3TbIWlG@dreamgate>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello all,

I have run into a snag while trying to setup su to automatically do a user 
context switch through PAM (pam_selinux) while UBAC is active.

If you exempt sysadm_su_t from certain UBAC constraints, you will soon end up 
in a situation where you have to deal with su running in root:..:sysadm_su_t 
while the forked child process runs in whatever context the Linux user is 
mapped to, thus you automatically hit u1 != u2 and since only ubac_constrained 
types are involed, most operations will fail when dealing with the parent 
process (or its resources).

I am at a loose how to further deal with this, unfortunately.

If you put the target seuser type (e.g. user_t) in permissive or exempt it 
from all UBAC constraints, it will work perfectly. But that's obviously not a 
solution.

Since the constraints are wired in such a way that the participation of the 
system_u user also satisfies the constraint, one idea would be to somehow 
force su through that one while making sure that the context is /always/ 
dropped to a proper user context or the login fails -- which can be done 
through PAM. But all this feels like a bandaid/hack and not a proper solution 
and brings its own kind of problems.

So I wanted to kindly ask for help / suggestions on how to solve this?

IMHO, having su change the context properly to what the user is mapped to, is 
also something that from a security perspective is desirable since otherwise 
you end up being logged in as an unprivileged Linux user but have a rather 
(over-)privileged context active with no way of changing that.

And from the UBAC perspective, I think it is quite necessary to at least have 
something like su do a proper switch since you will want all your files you 
create have the proper user context (or remember manually resetting contexts).

Just two advantages from the top of my head.

Thanks in advance for taking the time and your patience. :)

With Kind Regards from Germany
Matthias Dahl

-- 
Dipl.-Inf. (FH) Matthias Dahl | Software Engineer | binary-island.eu
 services: custom software [desktop, mobile, web], server administration