From: sven.vermeulen@siphos.be (Sven Vermeulen)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 1/1] chfn_t reads in file context information and executes nscd
Date: Wed, 20 Mar 2013 10:03:17 +0100 [thread overview]
Message-ID: <20130320090317.GA12451@siphos.be> (raw)
The chsh application (which runs in the chfn_t domain) requires read access on
the file context definitions. If not, the following error occurs:
Changing the login shell for root
Enter the new value, or press ENTER for the default
Login Shell [/bin/zsh]: /bin/bash
chsh: failure while writing changes to /etc/passwd
The following AVC denials are shown:
Jan 23 20:23:43 lain kernel: [20378.806719] type=1400 audit(1358969023.507:585):
avc: denied { search } for pid=18281 comm="chsh" name="selinux" dev="dm-0"
ino=23724520 scontext=staff_u:sysadm_r:chfn_t
tcontext=system_u:object_r:selinux_config_t tclass=dir
In permissive mode, this goes up to:
Jan 23 20:22:15 lain kernel: [20290.691128] type=1400 audit(1358968935.217:566):
avc: denied { open } for pid=18195 comm="chsh"
path="/etc/selinux/strict/contexts/files/file_contexts" dev="dm-0" ino=23726403
scontext=staff_u:sysadm_r:chfn_t tcontext=staff_u:object_r:file_context_t
tclass=file
Hence, adding in seutil_read_file_contexts().
A second error is that chsh, if available, wants to execute nscd:
Changing the login shell for root
Enter the new value, or press ENTER for the default
Login Shell [/bin/sh]: /bin/bash
chsh: cannot execute /usr/sbin/nscd: Permission denied
chsh: nscd exited with status 126
chsh: Failed to flush the nscd cache.
chsh: cannot execute /usr/sbin/nscd: Permission denied
chsh: nscd exited with status 126
chsh: Failed to flush the nscd cache.
chsh: cannot execute /usr/sbin/nscd: Permission denied
chsh: nscd exited with status 126
chsh: Failed to flush the nscd cache.
Similar to most other user admin utilities, we grant it the rights to run nscd.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/admin/usermanage.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index d555767..774d8c3 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -125,6 +125,7 @@ miscfiles_read_localization(chfn_t)
logging_send_syslog_msg(chfn_t)
+seutil_read_file_contexts(chfn_t)
# uses unix_chkpwd for checking passwords
seutil_dontaudit_search_config(chfn_t)
@@ -133,6 +134,10 @@ userdom_use_unpriv_users_fds(chfn_t)
# on user home dir
userdom_dontaudit_search_user_home_content(chfn_t)
+optional_policy(`
+ nscd_run(chfn_t, chfn_roles)
+')
+
########################################
#
# Crack local policy
--
1.8.1.5
next reply other threads:[~2013-03-20 9:03 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-20 9:03 Sven Vermeulen [this message]
2013-04-04 12:09 ` [refpolicy] [PATCH 1/1] chfn_t reads in file context information and executes nscd Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130320090317.GA12451@siphos.be \
--to=sven.vermeulen@siphos.be \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.