Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1364621 - SELinux unable to prevent an script from executing
Summary: SELinux unable to prevent an script from executing
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 24
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2016-08-06 04:19 UTC by oogway
Modified: 2016-08-07 16:38 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-08-07 16:38:12 UTC

Attachments (Terms of Use)
semanage/getsebool/setsebool output (deleted)
2016-08-06 04:19 UTC, oogway
no flags Details

Description oogway 2016-08-06 04:19:46 UTC
Created attachment 1188089 [details]
semanage/getsebool/setsebool output

Description of problem:
Platform tested: Fedora 24 (and CentOS 7). Same results were observed.
SELinux is enabled and enforcing. My goal is to prevent a regular user (named guestuser) from running a script.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. mapped a regular user (guestuser) to guest_u
2. guest_exec_content set to off
3. run the test script via either absolute or relative path
4. now run the test script by calling bash or sh

Actual results:
When run via absolute/relative path, SELinux is able to prevent the script from executing which is expected.

Now, invoke the script via bash or sh and SELinux, unexpectedly, was unable to prevent the script executing.

Expected results:
SELinux is expected to prevent the script from getting executed regardless how it is invoked.

Additional info:

Transcript below

[erwin@PC1 ~]$ cat guest-selinux.txt
Script started on Sat 06 Aug 2016 04:09:36 PM NZST
[guestuser@PC1 ~]$ ./
bash: ./ Permission denied
[guestuser@PC1 ~]$
[guestuser@PC1 ~]$ ~/
bash: /home/guestuser/ Permission denied
[guestuser@PC1 ~]$
[guestuser@PC1 ~]$ ${HOME}/
bash: /home/guestuser/ Permission denied
[guestuser@PC1 ~]$
[guestuser@PC1 ~]$ bash
Hello World!
[guestuser@PC1 ~]$
[guestuser@PC1 ~]$ sh
Hello World!
[guestuser@PC1 ~]$ bash ~/
Hello World!
[guestuser@PC1 ~]$ sh ${HOME}/
Hello World!
[guestuser@PC1 ~]$ exit

Script done on Sat 06 Aug 2016 04:10:28 PM NZST

Comment 1 oogway 2016-08-06 04:24:57 UTC
It seems when script is called via path, guest_r is applied. Otherwise, object_r is applied instead. Need to remove guest_u from object_r to get the desired result?

Comment 2 Daniel Walsh 2016-08-07 16:38:12 UTC
Yup, sorry to say we cannot currently prevent someone from running a script if they execute the script directly.

There is nothing in the kernel to prevent this and the way bash works, would make more workarounds impossible.  All we can block is an actual executable in the homedir.

python, perl, sh, awk ... All would not be blocked.

Note You need to log in before you can comment on or make changes to this bug.