From: Daniel J Walsh <dwalsh@redhat.com>
To: Alan Rouse <alan.rouse@ericsson.com>
Cc: SE-Linux <selinux@tycho.nsa.gov>
Subject: Re: AVC accesing shadow during gnome login
Date: Tue, 13 Apr 2010 11:17:27 -0400 [thread overview]
Message-ID: <4BC48B07.1080708@redhat.com> (raw)
In-Reply-To: <5A5E55DF96F73844AF7DFB0F48721F0F52E48FE96F@EUSAACMS0703.eamcs.ericsson.se>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/13/2010 10:10 AM, Alan Rouse wrote:
>> xdm_t uses /sbin/unix_chkpwd to read the shadow file.
>> The pam stack will execute this program if it can not
>> read shadow directly. In Fedora and RHEL products we
>> now attempt to execute /sbin/unix_chkpwd first and then
>> fail over to trying to read the shadow file.
>
> I discovered this situation when I took some modules generated by audit2allow and added them as a layer inside the reference policy source tarball. The rpmbuild -bb <specfile> command reported a conflict between an allow rule (allow xdm_t shadow_t...) and a neverallow rule (a good thing!) What seems odd to me is that I can load that same module via semodule -i and it doesn't complain -- and access by xdm_t to shadow_t is allowed. Is that correct behavior for semodule -i?
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
>
We are only enforcing neverallow at build time, because of the speed of
the compiler.
You can turn it on by editing /etc/selinux/semange.conf and turning on
expand-check=1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvEiwcACgkQrlYvE4MpobNKzgCgtJcuNDca4tQ+06BezbiIdvAI
VdsAn1e8LzjG+ZnzT+ckAYCygScnwwGK
=RsH6
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2010-04-13 15:17 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-12 19:24 AVC accesing shadow during gnome login Alan Rouse
2010-04-13 1:23 ` Justin P. mattock
2010-04-13 12:46 ` Daniel J Walsh
2010-04-13 14:10 ` Alan Rouse
2010-04-13 15:17 ` Daniel J Walsh [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BC48B07.1080708@redhat.com \
--to=dwalsh@redhat.com \
--cc=alan.rouse@ericsson.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.