Skip to content

DAC bypass after split security task to secadm user #837

Description

@uudiin

My goal is to share the management of security policies and selinux-related operation permissions with the secadm user. I created a selinux user named secadm_u and a normal user secadm with the following command:

semanage user --add --roles secadm_r secadm_u
useradd -m -U -Z secadm_u secadm

Because under DAC, secadm is a general user, which causes operations like setenforce to fail, because the interface files under /sys/fs/selinux require the write permission of the owner root, for example, the disable file can only be written by the owner root,

# ll /sys/fs/selinux/disable
--w-------. 1 root root 0 Jan  1  1970 /sys/fs/selinux/disable

and the newly created general user cannot pass the DAC check. Is there a more formal solution like this, maybe it only be solved by modifying the owner of /sys/fs/selinux ?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions