[refpolicy] [PATCH] login related stuff take 2

From: dac.override@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] login related stuff take 2
Date: Fri, 21 Apr 2017 16:04:43 +0200	[thread overview]
Message-ID: <20170421140443.GD2335@julius> (raw)
In-Reply-To: <16C6159B-E15B-44E5-AFEC-2FB1FFBA339C@trentalancia.net>

On Fri, Apr 21, 2017 at 03:47:35PM +0200, Guido Trentalancia via refpolicy wrote:
> I confirm that such auth permission is not needed. It uses shadow directly and it already has the appropriate auth_read_shadow() interface call!
> 
> I am now checking the details... 

There seems to be bug though in refpolicy

in refpolicy sulogin seems to use an auto type transition to sysadm_t but , atleast in fedora, sulogin does actually look up default contexts

if you add system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 to contexts/users/sysadm_u then sulogin will try to manually transition to that context provided that it has the permisisons to do so.

So its not a authlogin login program but it is selinux aware

> 
> On the 21st of April 2017 15:42:01 CEST, Dominick Grift via refpolicy <refpolicy@oss.tresys.com> wrote:
> >On Fri, Apr 21, 2017 at 03:33:50PM +0200, Guido Trentalancia via
> >refpolicy wrote:
> >> It doesn't have a PAM configuration file for the simple reason that
> >it doesn't use PAM...
> >
> >And thus it is not a authlogin login program
> >
> >> 
> >> I am now testing the other permissions, it should be easier and safer
> >than just speculating on the possible behavior.
> >> 
> >> I getting a very different behavior!
> >> 
> >> Will get back shortly. 
> >> 
> >> Regards, 
> >> 
> >> Guido 
> >> 
> >> On the 21st April 2017 14:48:48 CEST, Dominick Grift via refpolicy
> ><refpolicy@oss.tresys.com> wrote:
> >> >On Fri, Apr 21, 2017 at 02:42:46PM +0200, Dominick Grift wrote:
> >> >> On Fri, Apr 21, 2017 at 10:38:06PM +1000, Russell Coker via
> >refpolicy
> >> >wrote:
> >> >> > On Fri, 21 Apr 2017 10:06:29 PM Guido Trentalancia via refpolicy
> >> >wrote:
> >> >> > > > auth_read_shadow(sulogin_t)
> >> >> > > >
> >> >> > > >+auth_login_pgm_domain(sulogin_t)
> >> >> > > >+kernel_read_crypto_sysctls(sulogin_t)
> >> >> > > >+selinux_set_generic_booleans(sulogin_t)
> >> >> > > >
> >> >> > > >What usage need this access?
> >> >> > > 
> >> >> > > They are dangerous permissions, especially the one that allows
> >to
> >> >set the
> >> >> > > SELinux booleans! 
> >> >> > > 
> >> >> > > Only the system administrator should be permitted to set the
> >> >booleans
> >> >> > > interactively through the application... 
> >> >> > 
> >> >> > Sulogin only runs at the console when something goes wrong in
> >the
> >> >early boot 
> >> >> > process, and the first thing it does is ask for a root password.
> >> >> > 
> >> >> > It's simply impossible for sulogin to do what it does without
> >the
> >> >first line, 
> >> >> > it is a login program.
> >> >> 
> >> >> I don't think its a login program from an authlogin perspective.
> >It
> >> >has no pam config here on fedora. There are no default contexts for
> >> >sulogin
> >> >
> >> >Ok i might be wrong here with regard there not being default
> >contexts.
> >> >I do believe that it somehow uses default contexts but there does
> >not
> >> >seem to be a pam config here
> >> >
> >> >> 
> >> >> > 
> >> >> > The second is used by exim_t, lpr_t, boinc_t, mailman_cgi_t, and
> >
> >> >> > user_mail_domain among others.  If we need to restrict access to
> >> >that then 
> >> >> > exim_t, lpr_t, boinc_t, mailman_cgi_t, and user_mail_domain all
> >> >deal with 
> >> >> > untrusted data.  The domains exim_t, boinc_t, and mailman_cgi_t
> >are
> >> >exposed to 
> >> >> > data from the Internet and have that access.
> >> >> > 
> >> >> > The policy currently has sysadm_shell_domtrans(sulogin_t) which
> >> >allows sulogin 
> >> >> > to execute "bash -c setsebool" or similar.  So allowing it to
> >set
> >> >booleans 
> >> >> > directly doesn't really change much.
> >> >> > 
> >> >> > There is simply no possibility to allow sulogin to do what it is
> >> >intended to 
> >> >> > do without granting it access to destroy things (at least
> >> >indirectly).  If you 
> >> >> > don't want that then the only option is to remove sulogin.  I
> >guess
> >> >you could 
> >> >> > submit a patch with a boolean to deny executing sulogin_exec_t
> >for
> >> >init if 
> >> >> > that's what you want.
> >> >> > 
> >> >> > -- 
> >> >> > My Main Blog         http://etbe.coker.com.au/
> >> >> > My Documents Blog    http://doc.coker.com.au/
> >> >> > _______________________________________________
> >> >> > refpolicy mailing list
> >> >> > refpolicy at oss.tresys.com
> >> >> > http://oss.tresys.com/mailman/listinfo/refpolicy
> >> >> 
> >> >> -- 
> >> >> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B
> >6B02
> >> >>
> >>
> >>https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> >> >> Dominick Grift
> >> 
> >> _______________________________________________
> >> refpolicy mailing list
> >> refpolicy at oss.tresys.com
> >> http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170421/e4a6529b/attachment-0001.bin 