From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.3.250]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id o3DFHXCj009885 for ; Tue, 13 Apr 2010 11:17:33 -0400 Received: from mx1.redhat.com (localhost [127.0.0.1]) by msux-gh1-uea02.nsa.gov (8.12.10/8.12.10) with ESMTP id o3DFIOr0005378 for ; Tue, 13 Apr 2010 15:18:24 GMT Message-ID: <4BC48B07.1080708@redhat.com> Date: Tue, 13 Apr 2010 11:17:27 -0400 From: Daniel J Walsh MIME-Version: 1.0 To: Alan Rouse CC: SE-Linux Subject: Re: AVC accesing shadow during gnome login References: <5A5E55DF96F73844AF7DFB0F48721F0F52E48FE523@EUSAACMS0703.eamcs.ericsson.se> <4BC4678E.807@redhat.com> <5A5E55DF96F73844AF7DFB0F48721F0F52E48FE96F@EUSAACMS0703.eamcs.ericsson.se> In-Reply-To: <5A5E55DF96F73844AF7DFB0F48721F0F52E48FE96F@EUSAACMS0703.eamcs.ericsson.se> Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/13/2010 10:10 AM, Alan Rouse wrote: >> xdm_t uses /sbin/unix_chkpwd to read the shadow file. >> The pam stack will execute this program if it can not >> read shadow directly. In Fedora and RHEL products we >> now attempt to execute /sbin/unix_chkpwd first and then >> fail over to trying to read the shadow file. > > I discovered this situation when I took some modules generated by audit2allow and added them as a layer inside the reference policy source tarball. The rpmbuild -bb command reported a conflict between an allow rule (allow xdm_t shadow_t...) and a neverallow rule (a good thing!) What seems odd to me is that I can load that same module via semodule -i and it doesn't complain -- and access by xdm_t to shadow_t is allowed. Is that correct behavior for semodule -i? > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with > the words "unsubscribe selinux" without quotes as the message. > > We are only enforcing neverallow at build time, because of the speed of the compiler. You can turn it on by editing /etc/selinux/semange.conf and turning on expand-check=1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkvEiwcACgkQrlYvE4MpobNKzgCgtJcuNDca4tQ+06BezbiIdvAI VdsAn1e8LzjG+ZnzT+ckAYCygScnwwGK =RsH6 -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.