[refpolicy] [PATCH v2] locallogin: fix the sulogin submodule (emergency shell!)

From: dac.override@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH v2] locallogin: fix the sulogin submodule (emergency shell!)
Date: Wed, 26 Apr 2017 17:44:37 +0200	[thread overview]
Message-ID: <20170426154437.GA23409@julius> (raw)
In-Reply-To: <5D3FFC2A-F6BB-4056-AA55-CF89D485F79C@trentalancia.net>

On Wed, Apr 26, 2017 at 05:42:31PM +0200, Guido Trentalancia via refpolicy wrote:
> Hello.
> 
> On the 26th of April 2017 15:05:44 CEST, Dominick Grift via refpolicy <refpolicy@oss.tresys.com> wrote:
> >On Wed, Apr 26, 2017 at 12:50:02AM +0200, Guido Trentalancia via
> >refpolicy wrote:
> >> This patch fixes the policy for sulogin. It is very important
> >> because without this patch, sulogin cannot work properly and
> >> it should be considered that it is used as an emergency shell
> >> when there are serious consistency errors in the system, so it
> >> constitutes the only way to recover the system in such
> >> circumstances.
> >> 
> >> Nowadays, sulogin never uses PAM (at least not the official one
> >> from util-linux), so obsolete, confusing and buggy policy has
> >> been removed.
> >> 
> >> Extensive testing carried out while creating this patch indicates
> >> that there aren't other permissions needed to successfully run
> >> sulogin.
> >> 
> >> This second version should apply cleanly to the latest git tree.
> >> 
> >> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> >> ---
> >>  policy/modules/system/locallogin.te |   24 ++++++++++++++----------
> >>  1 file changed, 14 insertions(+), 10 deletions(-)
> >> 
> >> --- a/policy/modules/system/locallogin.te	2017-04-13
> >22:04:35.111202539 +0200
> >> +++ b/policy/modules/system/locallogin.te	2017-04-26
> >00:44:23.028943625 +0200
> >> @@ -215,7 +215,8 @@ optional_policy(`
> >>  # Sulogin local policy
> >>  #
> >>  
> >> -allow sulogin_t self:capability dac_override;
> >> +allow sulogin_t self:capability { dac_override sys_admin
> >sys_tty_config };
> >
> >I suspect that cap_sys_admin can be safely dontaudited
> 
> Yes, I thought the same, but then considering it is a sysadmin shell, I did not even check.

The cap_sys_admin for getty can also be safely dontaudited AFAIK

Also the dac_override for sulogin can also be dontaudited AFAIK (allow dac_read_search instead)

> 
> Also, remember we probably still have sys_admin for getty which runs unprivileged shells... 
> 
> >> +allow sulogin_t self:process setexec;
> >>  allow sulogin_t self:fd use;
> >>  allow sulogin_t self:fifo_file rw_fifo_file_perms;
> >>  allow sulogin_t self:unix_dgram_socket create_socket_perms;
> >> @@ -228,6 +229,9 @@ allow sulogin_t self:msgq create_msgq_pe
> >>  allow sulogin_t self:msg { send receive };
> >>  
> >>  kernel_read_system_state(sulogin_t)
> >> +kernel_read_crypto_sysctls(sulogin_t)
> >> +kernel_stream_connect(sulogin_t)
> >> +kernel_use_fds(sulogin_t)
> >>  # because file systems are not mounted:
> >>  kernel_dontaudit_search_unlabeled(sulogin_t)
> >>  
> >> @@ -238,10 +242,13 @@ files_read_etc_files(sulogin_t)
> >>  
> >>  auth_read_shadow(sulogin_t)
> >>  
> >> +init_getpgid(sulogin_t)
> >>  init_getpgid_script(sulogin_t)
> >>  
> >>  logging_send_syslog_msg(sulogin_t)
> >>  
> >> +miscfiles_read_localization(sulogin_t)
> >> +
> >>  seutil_read_config(sulogin_t)
> >>  seutil_read_default_contexts(sulogin_t)
> >>  
> >> @@ -252,15 +259,12 @@ userdom_use_user_ptys(sulogin_t)
> >>  
> >>  sysadm_shell_domtrans(sulogin_t)
> >>  
> >> -# suse and debian do not use pam with sulogin...
> >> -ifdef(`distro_suse', `define(`sulogin_no_pam')')
> >> -ifdef(`distro_debian', `define(`sulogin_no_pam')')
> >> -
> >> -ifdef(`sulogin_no_pam', `
> >> -	allow sulogin_t self:capability sys_tty_config;
> >> -	init_getpgid(sulogin_t)
> >> -', `
> >> -	allow sulogin_t self:process setexec;
> >> +term_use_console(sulogin_t)
> >> +term_use_unallocated_ttys(sulogin_t)
> >> +
> >> +# by default, sulogin does not use pam...
> >> +# sulogin_pam might need to be defined otherwise
> >> +ifdef(`sulogin_pam', `
> >>  	selinux_get_fs_mount(sulogin_t)
> >>  	selinux_validate_context(sulogin_t)
> >>  	selinux_compute_access_vector(sulogin_t)
> >> _______________________________________________
> >> refpolicy mailing list
> >> refpolicy at oss.tresys.com
> >> http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> Regards, 
> 
> Guido 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170426/d343130e/attachment.bin