[refpolicy] useradd/passwd patch

All of lore.kernel.org
 help / color / mirror / Atom feed

From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] useradd/passwd patch
Date: Fri, 26 Sep 2008 08:45:09 -0400	[thread overview]
Message-ID: <48DCD955.8080409@redhat.com> (raw)
In-Reply-To: <200809260657.50453.russell@coker.com.au>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Russell Coker wrote:
> On Friday 26 September 2008 06:11, Daniel J Walsh <dwalsh@redhat.com> wrote:
>> Perhaps they are using pam to verify password entry, pam defaults to
>> unix_chkpwd so this could cause the avc.  I don't see where this is a
>> problem though.
> 
> Since when does PAM default to unix_chkpwd?
> 
> When I first wrote the code and policy for this PAM had special-case code to 
> only call unix_chkpwd in the case of a non-root caller.
> 
And I believe that has changed.  Since were having to dontaudit read of
shadow for all pam apps, while if they try to use unix_chppwd first we
don't need the dontaudit rule.  Then if a domain suddenly tries to read
shadow, we have an idea that there is some problem.
> It might make some sense to only check the password in one way (IE call the 
> executable even when running as root without SE Linux) as it's not something 
> that happens often enough to cause performance.  But in that case I think 
> that the suitably privileged domains should be permitted to execute 
> unix_chkpwd in the same domain.
> 
And how is this more or less secure?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjc2VUACgkQrlYvE4MpobOICwCdFHv5JZNwdc+qIwzywSl9YZWV
1zcAoJo/2HLijdsQyGt5iYKBmsp5XT8W
=bJWN
-----END PGP SIGNATURE-----

next prev parent reply	other threads:[~2008-09-26 12:45 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-24 21:38 [refpolicy] useradd/passwd patch Mike Edenfield
2008-09-25  7:12 ` Russell Coker
2008-09-25 20:11   ` Daniel J Walsh
2008-09-25 20:57     ` Russell Coker
2008-09-26 12:45       ` Daniel J Walsh [this message]
2008-09-26 20:30         ` Russell Coker

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48DCD955.8080409@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.