'Selinux' tag logo

Can SELinux really confine the root user?

Several projects such as [this one][play_root] propose a free root access to a Linux box in order to demonstrate SELinux confinement abilities. Even given a root access on a box, SELinux still prevents any harm from being done.

Is this for real or is there any trick behing such setup?

This is indeed possible because SELinux does not actually care about the current Unix user: all it sees is a supplementary metadata called the context (which includes, among other fields, a domain field) and which lets SELinux decide whether the requested action can be authorized or not.

What one usually conceives as the root user should be mapped in SELinux as a root Unix user running either the unconfined_t or sysadm_t SELinux domain. It is the classical full-powered omnipotent root user.

However, one could perfectly setup his system to spawn a root shell (I mean root Unix user shell) running the restricted user user_t SELinux domain. As per SELinux policies, such shell would be no different than any other restricted user shell and would have no special privilege on the system, thus effectively confining the root user.

Appart from an experimental point-of-view, doing such thing as-is has no practical use. However similar practices find their way in the real world.

A classic example can be a database administrator needing to be able to stop/start the database daemons, edit configuration files, etc. Without SELinux, all these actions would require the user to escalate toward root privileges (even if it is normally for a single command line via the sudo tool for instance, but even that may be prone to leaks).

Thanks to SELinux, we can give this user a genuine root shell, but instead of running unconfined_t or sysadm_t domains it will run the dbadm_t domain. This mean that he will have more privileges than a restricted user, but these new privileges will be limited to what is needed to administrate the database server: this user will not be able to tamper with other services, files or run other administrative commands than those strictly required to do his job.

The same way, the web server and other services administrators could also have other root shells running in parallel on the same system, every one will see their current Unix user being root, but thanks to SELinux each one will have effectively different privileges limited to what is needed for their own purposes.

Article based on a StackExchange answer.

Popular tags see all