Fedora and pkexec

Posted Feb 3, 2022 0:16 UTC (Thu) by bartoc (guest, #124262)
In reply to: Fedora and pkexec by ejr
Parent article: Fedora and pkexec

for a program like pkexec it's not clear what kind of selinux policy could help, after all the whole point is to run literally anything as root. Restricting what can run pkexec itself would be possible, and could break many exploit chains that use this bug before they even got to an unprivileged shell.

Does fedora's current selinux policy allow (for example) httpd to execute pkexec (or sudo)?

Fedora and pkexec

Posted Feb 3, 2022 8:23 UTC (Thu) by pbonzini (subscriber, #60935) [Link]

IIRC the default policy doesn't allow any execve. There are various knobs to enable additional permissions such as httpd_ssi_exec and httpd_enable_cgi.

Fedora and pkexec

Posted Feb 7, 2022 3:45 UTC (Mon) by flussence (guest, #85566) [Link] (1 responses)

SELinux is more of a bandage than a cure. The root problem here (excuse the pun) is full suid-bit privilege auth programs being necessary for going between any two lesser privilege levels, the general flow being [regular user -> unrestricted setuid 0 binary handling auth -> privileged filehandles/capabilities]. I'm not sure how to fix that, but it does seem like there's something we could be doing fundamentally better and not just "write C code more carefully".

Fedora and pkexec

Posted Feb 8, 2022 8:09 UTC (Tue) by bartoc (guest, #124262) [Link]

I think the solution is "make it easier to write correct suid programs", provide tools to correctly clear the environment and so forth.

For things that are less general than pkexec/sudo something like selinux can reduce them from "full suid" a little bit.

And yeah, SELinux is absolutely (and always) a bandage rather than a cure. It's a defense in depth measure. It can do a good job stopping the bleeding though.