3

I configured SELinux:

semanage login -a -s user_u mary
setsebool user_exec_content off

The general configuration is 

SELINUX=enforcing
SELINUXTYPE=targeted

When I login to the mary account I can still run the scripts in her account but setsebool ( user_exec_content=off) should forbid do it?

Can anyone point me in the right direction ?

user9517
  • 115,471
  • 20
  • 215
  • 297
Monorels
  • 31
  • 1
  • When the user is logged in, do you see them as confined in `ps -feZ`? Do they log in via ssh; and if so, is `UsePAM` set to yes in sshd_config? – Aaron Dec 29 '16 at 19:54
  • I login throw ssh and login to mary account from root account, but if login to mary account directly from ssh then everything works as it should. I'm done a foolish think. – Monorels Dec 29 '16 at 20:02
  • To pick up the selinux contexts using `su`, you would need `su - username` and you should see it. You might try `su - mary -c "id -Z"` – Aaron Dec 29 '16 at 20:04
  • su - mary -c "id -Z" - No it will not only work if you go directly from mary account, if you do through the 
    su - mary
    out of the root, it does not work     – Monorels Dec 29 '16 at 20:15
  • [root@outsider1 ~]# su - mary [mary@outsider1 ~]$ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 – Monorels Dec 29 '16 at 20:17

1 Answers1

2

Selinux user not confined when using su

Some applications or helpers utilize PAM to get/set SELinux restrictions. SSHD for example would require that you have UsePAM yes for SELinux user restrictions to be enabled. Depending on your SELinux policies and booleans, you may be able to bypass confinement when using some helpers such as su or sudo and also depending on how they are executed. This requires understanding what transitions are allowed in the SELinux policy.

If Mary logs in via SSH and UsePAM yes is set, then they should be confined as expected and your boolean should take effect.

Aaron
  • 2,859
  • 2
  • 12
  • 30