type=3DAVC msg=3Daudit(1271099674.792:5): avc: denied { ge= tattr } for pid=3D2475 comm=3D"gdm-session-wor" path=3D&quo= t;/etc/shadow" dev=3Dsda2 ino=3D129609 scontext=3Dsystem_u:system_r:xd= m_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_r:shadow_t:s0 tclass=3Dfile

But I think the required access is prohibited via 'neverallow'. &= nbsp; Suggestions welcome.

Thanks

--_000_5A5E55DF96F73844AF7DFB0F48721F0F52E48FE523EUSAACMS0703e_-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id o3D1Men3030518 for ; Mon, 12 Apr 2010 21:22:44 -0400 Received: from mail-vw0-f53.google.com (localhost [127.0.0.1]) by msux-gh1-uea01.nsa.gov (8.12.10/8.12.10) with ESMTP id o3D1MDQO008026 for ; Tue, 13 Apr 2010 01:22:14 GMT Received: by vws9 with SMTP id 9so13677vws.12 for ; Mon, 12 Apr 2010 18:22:42 -0700 (PDT) Message-ID: <4BC3C7A8.6070109@gmail.com> Date: Mon, 12 Apr 2010 18:23:52 -0700 From: "Justin P. mattock" MIME-Version: 1.0 To: Alan Rouse CC: SE-Linux Subject: Re: AVC accesing shadow during gnome login References: <5A5E55DF96F73844AF7DFB0F48721F0F52E48FE523@EUSAACMS0703.eamcs.ericsson.se> In-Reply-To: <5A5E55DF96F73844AF7DFB0F48721F0F52E48FE523@EUSAACMS0703.eamcs.ericsson.se> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On 04/12/2010 12:24 PM, Alan Rouse wrote: > I'm getting the following when I log in via the gnome login gui > (OpenSUSE 11.2) with dontaudit turned off: > type=AVC msg=audit(1271099674.777:3): avc: denied { read } for pid=2475 > comm="gdm-session-wor" name="shadow" dev=sda2 ino=129609 > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:shadow_t:s0 tclass=file > type=AVC msg=audit(1271099674.780:4): avc: denied { open } for pid=2475 > comm="gdm-session-wor" name="shadow" dev=sda2 ino=129609 > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:shadow_t:s0 tclass=file > type=AVC msg=audit(1271099674.792:5): avc: denied { getattr } for > pid=2475 comm="gdm-session-wor" path="/etc/shadow" dev=sda2 ino=129609 > scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:shadow_t:s0 tclass=file > But I think the required access is prohibited via 'neverallow'. > Suggestions welcome. > Thanks I think shadow is always rejected by the policy, and chkpwd is allowed. Justin P. Mattock -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id o3DCkC8m031388 for ; Tue, 13 Apr 2010 08:46:12 -0400 Received: from mx1.redhat.com (localhost [127.0.0.1]) by msux-gh1-uea02.nsa.gov (8.12.10/8.12.10) with ESMTP id o3DCl4r0013283 for ; Tue, 13 Apr 2010 12:47:05 GMT Message-ID: <4BC4678E.807@redhat.com> Date: Tue, 13 Apr 2010 08:46:06 -0400 From: Daniel J Walsh MIME-Version: 1.0 To: Alan Rouse CC: SE-Linux Subject: Re: AVC accesing shadow during gnome login References: <5A5E55DF96F73844AF7DFB0F48721F0F52E48FE523@EUSAACMS0703.eamcs.ericsson.se> In-Reply-To: <5A5E55DF96F73844AF7DFB0F48721F0F52E48FE523@EUSAACMS0703.eamcs.ericsson.se> Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/12/2010 03:24 PM, Alan Rouse wrote: > I'm getting the following when I log in via the gnome login gui (OpenSUSE 11.2) with dontaudit turned off: > > type=AVC msg=audit(1271099674.777:3): avc: denied { read } for pid=2475 comm="gdm-session-wor" name="shadow" dev=sda2 ino=129609 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file > type=AVC msg=audit(1271099674.780:4): avc: denied { open } for pid=2475 comm="gdm-session-wor" name="shadow" dev=sda2 ino=129609 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file > type=AVC msg=audit(1271099674.792:5): avc: denied { getattr } for pid=2475 comm="gdm-session-wor" path="/etc/shadow" dev=sda2 ino=129609 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file > > But I think the required access is prohibited via 'neverallow'. Suggestions welcome. > > Thanks > > > > xdm_t uses /sbin/unix_chkpwd to read the shadow file. The pam stack will execute this program if it can not read shadow directly. In Fedora and RHEL products we now attempt to execute /sbin/unix_chkpwd first and then fail over to trying to read the shadow file. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkvEZ44ACgkQrlYvE4MpobPI9gCfWmdjXO2iYgqrVMbt8mayugYJ OP0An043xjA72tP9svgx89XBXF3ZTlsI =Qkji -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id o3DEAnT0004957 for ; Tue, 13 Apr 2010 10:10:49 -0400 Received: from imr1.ericy.com (localhost [127.0.0.1]) by msux-gh1-uea01.nsa.gov (8.12.10/8.12.10) with ESMTP id o3DEAJXo007932 for ; Tue, 13 Apr 2010 14:10:19 GMT Received: from eusaamw0711.eamcs.ericsson.se ([147.117.20.178]) by imr1.ericy.com (8.13.1/8.13.1) with ESMTP id o3DEF3S5031816 for ; Tue, 13 Apr 2010 09:15:05 -0500 From: Alan Rouse To: SE-Linux Date: Tue, 13 Apr 2010 10:10:41 -0400 Subject: RE: AVC accesing shadow during gnome login Message-ID: <5A5E55DF96F73844AF7DFB0F48721F0F52E48FE96F@EUSAACMS0703.eamcs.ericsson.se> References: <5A5E55DF96F73844AF7DFB0F48721F0F52E48FE523@EUSAACMS0703.eamcs.ericsson.se> <4BC4678E.807@redhat.com> In-Reply-To: <4BC4678E.807@redhat.com> Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov > xdm_t uses /sbin/unix_chkpwd to read the shadow file. > The pam stack will execute this program if it can not > read shadow directly. In Fedora and RHEL products we > now attempt to execute /sbin/unix_chkpwd first and then > fail over to trying to read the shadow file. I discovered this situation when I took some modules generated by audit2allow and added them as a layer inside the reference policy source tarball. The rpmbuild -bb command reported a conflict between an allow rule (allow xdm_t shadow_t...) and a neverallow rule (a good thing!) What seems odd to me is that I can load that same module via semodule -i and it doesn't complain -- and access by xdm_t to shadow_t is allowed. Is that correct behavior for semodule -i? -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id o3DFHXCj009885 for ; Tue, 13 Apr 2010 11:17:33 -0400 Received: from mx1.redhat.com (localhost [127.0.0.1]) by msux-gh1-uea02.nsa.gov (8.12.10/8.12.10) with ESMTP id o3DFIOr0005378 for ; Tue, 13 Apr 2010 15:18:24 GMT Message-ID: <4BC48B07.1080708@redhat.com> Date: Tue, 13 Apr 2010 11:17:27 -0400 From: Daniel J Walsh MIME-Version: 1.0 To: Alan Rouse CC: SE-Linux Subject: Re: AVC accesing shadow during gnome login References: <5A5E55DF96F73844AF7DFB0F48721F0F52E48FE523@EUSAACMS0703.eamcs.ericsson.se> <4BC4678E.807@redhat.com> <5A5E55DF96F73844AF7DFB0F48721F0F52E48FE96F@EUSAACMS0703.eamcs.ericsson.se> In-Reply-To: <5A5E55DF96F73844AF7DFB0F48721F0F52E48FE96F@EUSAACMS0703.eamcs.ericsson.se> Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/13/2010 10:10 AM, Alan Rouse wrote: >> xdm_t uses /sbin/unix_chkpwd to read the shadow file. >> The pam stack will execute this program if it can not >> read shadow directly. In Fedora and RHEL products we >> now attempt to execute /sbin/unix_chkpwd first and then >> fail over to trying to read the shadow file. > > I discovered this situation when I took some modules generated by audit2allow and added them as a layer inside the reference policy source tarball. The rpmbuild -bb command reported a conflict between an allow rule (allow xdm_t shadow_t...) and a neverallow rule (a good thing!) What seems odd to me is that I can load that same module via semodule -i and it doesn't complain -- and access by xdm_t to shadow_t is allowed. Is that correct behavior for semodule -i? > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. > > We are only enforcing neverallow at build time, because of the speed of the compiler. You can turn it on by editing /etc/selinux/semange.conf and turning on expand-check=1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkvEiwcACgkQrlYvE4MpobNKzgCgtJcuNDca4tQ+06BezbiIdvAI VdsAn1e8LzjG+ZnzT+ckAYCygScnwwGK =RsH6 -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.