AVC accesing shadow during gnome login

All of lore.kernel.org
 help / color / mirror / Atom feed

* AVC accesing shadow during gnome login
@ 2010-04-12 19:24 Alan Rouse
  2010-04-13  1:23 ` Justin P. mattock
  2010-04-13 12:46 ` Daniel J Walsh
  0 siblings, 2 replies; 5+ messages in thread
From: Alan Rouse @ 2010-04-12 19:24 UTC (permalink / raw)
  To: SE-Linux

[-- Attachment #1: Type: text/plain, Size: 920 bytes --]

I'm getting the following when I log in via the gnome login gui (OpenSUSE 11.2) with dontaudit turned off:

type=AVC msg=audit(1271099674.777:3): avc:  denied  { read } for  pid=2475 comm="gdm-session-wor" name="shadow" dev=sda2 ino=129609 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1271099674.780:4): avc:  denied  { open } for  pid=2475 comm="gdm-session-wor" name="shadow" dev=sda2 ino=129609 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1271099674.792:5): avc:  denied  { getattr } for  pid=2475 comm="gdm-session-wor" path="/etc/shadow" dev=sda2 ino=129609 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file

But I think the required access is prohibited via 'neverallow'.   Suggestions welcome.

Thanks




[-- Attachment #2: Type: text/html, Size: 1577 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: AVC accesing shadow during gnome login
  2010-04-12 19:24 AVC accesing shadow during gnome login Alan Rouse
@ 2010-04-13  1:23 ` Justin P. mattock
  2010-04-13 12:46 ` Daniel J Walsh
  1 sibling, 0 replies; 5+ messages in thread
From: Justin P. mattock @ 2010-04-13  1:23 UTC (permalink / raw)
  To: Alan Rouse; +Cc: SE-Linux

On 04/12/2010 12:24 PM, Alan Rouse wrote:
> I'm getting the following when I log in via the gnome login gui
> (OpenSUSE 11.2) with dontaudit turned off:
> type=AVC msg=audit(1271099674.777:3): avc: denied { read } for pid=2475
> comm="gdm-session-wor" name="shadow" dev=sda2 ino=129609
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:shadow_t:s0 tclass=file
> type=AVC msg=audit(1271099674.780:4): avc: denied { open } for pid=2475
> comm="gdm-session-wor" name="shadow" dev=sda2 ino=129609
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:shadow_t:s0 tclass=file
> type=AVC msg=audit(1271099674.792:5): avc: denied { getattr } for
> pid=2475 comm="gdm-session-wor" path="/etc/shadow" dev=sda2 ino=129609
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:shadow_t:s0 tclass=file
> But I think the required access is prohibited via 'neverallow'.
> Suggestions welcome.
> Thanks


I think shadow is always rejected by the policy,
and chkpwd is allowed.

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: AVC accesing shadow during gnome login
  2010-04-12 19:24 AVC accesing shadow during gnome login Alan Rouse
  2010-04-13  1:23 ` Justin P. mattock
@ 2010-04-13 12:46 ` Daniel J Walsh
  2010-04-13 14:10   ` Alan Rouse
  1 sibling, 1 reply; 5+ messages in thread
From: Daniel J Walsh @ 2010-04-13 12:46 UTC (permalink / raw)
  To: Alan Rouse; +Cc: SE-Linux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/12/2010 03:24 PM, Alan Rouse wrote:
> I'm getting the following when I log in via the gnome login gui (OpenSUSE 11.2) with dontaudit turned off:
> 
> type=AVC msg=audit(1271099674.777:3): avc:  denied  { read } for  pid=2475 comm="gdm-session-wor" name="shadow" dev=sda2 ino=129609 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
> type=AVC msg=audit(1271099674.780:4): avc:  denied  { open } for  pid=2475 comm="gdm-session-wor" name="shadow" dev=sda2 ino=129609 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
> type=AVC msg=audit(1271099674.792:5): avc:  denied  { getattr } for  pid=2475 comm="gdm-session-wor" path="/etc/shadow" dev=sda2 ino=129609 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
> 
> But I think the required access is prohibited via 'neverallow'.   Suggestions welcome.
> 
> Thanks
> 
> 
> 
> 

xdm_t uses /sbin/unix_chkpwd to read the shadow file.  The pam stack
will execute this program if it can not read shadow directly.  In Fedora
and RHEL products we now attempt to execute /sbin/unix_chkpwd first and
then fail over to trying to read the shadow file.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvEZ44ACgkQrlYvE4MpobPI9gCfWmdjXO2iYgqrVMbt8mayugYJ
OP0An043xjA72tP9svgx89XBXF3ZTlsI
=Qkji
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: AVC accesing shadow during gnome login
  2010-04-13 12:46 ` Daniel J Walsh
@ 2010-04-13 14:10   ` Alan Rouse
  2010-04-13 15:17     ` Daniel J Walsh
  0 siblings, 1 reply; 5+ messages in thread
From: Alan Rouse @ 2010-04-13 14:10 UTC (permalink / raw)
  To: SE-Linux

> xdm_t uses /sbin/unix_chkpwd to read the shadow file.  
> The pam stack will execute this program if it can not 
> read shadow directly.  In Fedora and RHEL products we 
> now attempt to execute /sbin/unix_chkpwd first and then 
> fail over to trying to read the shadow file.

I discovered this situation when I took some modules generated by audit2allow and added them as a layer inside the reference policy source tarball.  The rpmbuild -bb <specfile> command reported a conflict between an allow rule (allow xdm_t shadow_t...) and a neverallow rule (a good thing!)  What seems odd to me is that I can load that same module via semodule -i and it doesn't complain -- and access by xdm_t to shadow_t is allowed.  Is that correct behavior for semodule -i?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: AVC accesing shadow during gnome login
  2010-04-13 14:10   ` Alan Rouse
@ 2010-04-13 15:17     ` Daniel J Walsh
  0 siblings, 0 replies; 5+ messages in thread
From: Daniel J Walsh @ 2010-04-13 15:17 UTC (permalink / raw)
  To: Alan Rouse; +Cc: SE-Linux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/13/2010 10:10 AM, Alan Rouse wrote:
>> xdm_t uses /sbin/unix_chkpwd to read the shadow file.  
>> The pam stack will execute this program if it can not 
>> read shadow directly.  In Fedora and RHEL products we 
>> now attempt to execute /sbin/unix_chkpwd first and then 
>> fail over to trying to read the shadow file.
> 
> I discovered this situation when I took some modules generated by audit2allow and added them as a layer inside the reference policy source tarball.  The rpmbuild -bb <specfile> command reported a conflict between an allow rule (allow xdm_t shadow_t...) and a neverallow rule (a good thing!)  What seems odd to me is that I can load that same module via semodule -i and it doesn't complain -- and access by xdm_t to shadow_t is allowed.  Is that correct behavior for semodule -i?
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 
> 
We are only enforcing neverallow at build time, because of the speed of
the compiler.


You can turn it on by editing /etc/selinux/semange.conf and turning on
expand-check=1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvEiwcACgkQrlYvE4MpobNKzgCgtJcuNDca4tQ+06BezbiIdvAI
VdsAn1e8LzjG+ZnzT+ckAYCygScnwwGK
=RsH6
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2010-04-13 15:17 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-04-12 19:24 AVC accesing shadow during gnome login Alan Rouse
2010-04-13  1:23 ` Justin P. mattock
2010-04-13 12:46 ` Daniel J Walsh
2010-04-13 14:10   ` Alan Rouse
2010-04-13 15:17     ` Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.