Re: Question about newrole

["Dennis Wronka" <linuxweb@gmx.net>]

-------- Original-Nachricht --------
> Datum: Tue, 05 Aug 2008 10:48:55 -0400
> Von: Stephen Smalley <sds@tycho.nsa.gov>
> An: Dennis Wronka <linuxweb@gmx.net>
> CC: Xavier Toth <txtoth@gmail.com>, SELinux Mailing List <selinux@tycho.nsa.gov>
> Betreff: Re: Question about newrole

> 
> On Tue, 2008-08-05 at 22:32 +0800, Dennis Wronka wrote:
> > Thanks.
> > That seems to help quite a bit.
> > I now get some messages. For example it seems that newrole wants to 
> > read /etc/shadow directly.
> > Will check those messages and play around with the policy.
> 
> The way it works is that pam_unix attempts to open /etc/shadow directly
> for reading, and if it fails, it falls back to running unix_chkpwd to
> perform the password check.  SELinux policy prohibits most programs from
> directly reading /etc/shadow, including even ones that run as root, and
> forces them to go through unix_chkpwd instead, in order to limit the set
> of processes that have full read access to the shadow password file.
> 
> The logic to try to open /etc/shadow and fall back to unix_chkpwd
> already existed before SELinux in order to support non-root processes
> re-authenticating the current user.  What changed with SELinux was that
> it could also happen for root processes.
> 
> The current policy dontaudit's the attempt to directly read /etc/shadow
> to avoid noise.  When you did semodule -DB, you turned on that auditing.
> But those denials are what is expected, and allowing them will mean
> giving newrole direct read access to /etc/shadow (although that will
> only work if running as root, of course, as otherwise it has to use a
> suid helper like unix_chkpwd anyway).
> 
> Does newrole work for you as a non-root user?
> 
> -- 
> Stephen Smalley
> National Security Agency
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.

Also running newrole as regular user (running as staff_u:staff_r:staff_t, trying to transition to sysadm_r) gets me the same message, just with dennis as username.

I also tried setting unix_chkpwd set-uid root already, but even that didn't help.

I'll turn on the audit-messages again and see if there's anything that maybe shows that unix_chkpwd is not allowed to read shadow.
-- 
GMX Kostenlose Spiele: Einfach online spielen und Spaß haben mit Pastry Passion!
http://games.entertainment.gmx.net/de/entertainment/games/free/puzzle/6169196

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.