passwd using getprevcon() for enforcement

passwd using getprevcon() for enforcement

[Joshua Brindle]

I was wondering why Fedora's passwd is patched to use getprevcon()? It
seems to me that enforcing policy on a types previous context is very
broken behavior. Shouldn't the patch enforce on the current context and
have different passwd types for privileged users (i seem to remember
that there was a passwd_t and sysadm_passwd_t but that might have been
old-api).

Joshua Brindle	


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: passwd using getprevcon() for enforcement

[Stephen Smalley]

On Thu, 2005-01-06 at 09:29, Joshua Brindle wrote:
> I was wondering why Fedora's passwd is patched to use getprevcon()? It
> seems to me that enforcing policy on a types previous context is very
> broken behavior. Shouldn't the patch enforce on the current context and
> have different passwd types for privileged users (i seem to remember
> that there was a passwd_t and sysadm_passwd_t but that might have been
> old-api).

It is performing a check of the caller's permissions, so it wants the
domain of the caller (the previous context), not its own context.  It is
asking the question "Can the caller perform a privileged passwd
operation?", not the question "Can I perform a privileged passwd
operation?".   Parallel:  When the kernel performs a permission check,
it uses the credentials of the current process, not the kernel's own
credentials.  s/kernel/passwd program/

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: passwd using getprevcon() for enforcement

[Stephen Smalley]

On Thu, 2005-01-06 at 09:38, Stephen Smalley wrote:
> On Thu, 2005-01-06 at 09:29, Joshua Brindle wrote:
> > I was wondering why Fedora's passwd is patched to use getprevcon()? It
> > seems to me that enforcing policy on a types previous context is very
> > broken behavior. Shouldn't the patch enforce on the current context and
> > have different passwd types for privileged users (i seem to remember
> > that there was a passwd_t and sysadm_passwd_t but that might have been
> > old-api).
> 
> It is performing a check of the caller's permissions, so it wants the
> domain of the caller (the previous context), not its own context.  It is
> asking the question "Can the caller perform a privileged passwd
> operation?", not the question "Can I perform a privileged passwd
> operation?".   Parallel:  When the kernel performs a permission check,
> it uses the credentials of the current process, not the kernel's own
> credentials.  s/kernel/passwd program/

The other parallel to consider is for a client/server model, where
client programs send requests to a server passwd program.  There you
want the server passwd program to check permissions against the client's
credentials (obtained via getpeercon in that case).  The use of
getprevcon() for exec-based invocation is equivalent.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.