From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [Fwd: SSSD Local Auth and SELinux support]
Date: Wed, 6 Jul 2011 09:48:57 -0400 [thread overview]
Message-ID: <4E1467C9.2090403@tresys.com> (raw)
In-Reply-To: <1309897035.29086.4.camel@home.localdomain>
On 07/05/11 16:17, Matthew Ife wrote:
> This is an email I forwarded to the F15 selinux policy mailing list.
>
> As suggested, I forward the email and the attached patch which attempts
> to resolve what I discussed.
>
> If you have any questions please let me know. This was a patch applied
> to refpolicy.
If we're looking to go down this road, then we have to consider other
sources of authentication, such as nis, kerberos, and samba/winbind.
This may cause problems with package managers trying to
install/initialize the database for the first time, which is a concern.
There are a few problems (see inline):
> diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
> index 6776b69..9f36e81 100644
> --- a/policy/modules/admin/dpkg.te
> +++ b/policy/modules/admin/dpkg.te
> @@ -140,8 +140,8 @@ storage_raw_write_fixed_disk(dpkg_t)
> # for installing kernel packages
> storage_raw_read_fixed_disk(dpkg_t)
>
> -auth_relabel_all_files_except_shadow(dpkg_t)
> -auth_manage_all_files_except_shadow(dpkg_t)
> +auth_relabel_all_files_except_auth_files(dpkg_t)
> +auth_manage_all_files_except_auth_files(dpkg_t)
> auth_dontaudit_read_shadow(dpkg_t)
>
> files_exec_etc_files(dpkg_t)
> @@ -286,7 +286,7 @@ term_use_all_terms(dpkg_script_t)
>
> auth_dontaudit_getattr_shadow(dpkg_script_t)
> # ideally we would not need this
> -auth_manage_all_files_except_shadow(dpkg_script_t)
> +auth_manage_all_files_except_auth_files(dpkg_script_t)
>
> init_domtrans_script(dpkg_script_t)
> init_use_script_fds(dpkg_script_t)
> diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
> index 9a2c2a1..0f27b1c 100644
> --- a/policy/modules/admin/portage.if
> +++ b/policy/modules/admin/portage.if
> @@ -170,9 +170,9 @@ interface(`portage_compile_domain',`
> # needed for merging dbus:
> selinux_compute_access_vector($1)
>
> - auth_read_all_dirs_except_shadow($1)
> - auth_read_all_files_except_shadow($1)
> - auth_read_all_symlinks_except_shadow($1)
> + auth_read_all_dirs_except_auth_files($1)
> + auth_read_all_files_except_auth_files($1)
> + auth_read_all_symlinks_except_auth_files($1)
>
> libs_exec_lib_files($1)
> # some config scripts use ldd
> diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
> index 47a8f7d..489d499 100644
> --- a/policy/modules/admin/rpm.te
> +++ b/policy/modules/admin/rpm.te
> @@ -154,8 +154,8 @@ storage_raw_read_fixed_disk(rpm_t)
>
> term_list_ptys(rpm_t)
>
> -auth_relabel_all_files_except_shadow(rpm_t)
> -auth_manage_all_files_except_shadow(rpm_t)
> +auth_relabel_all_files_except_auth_files(rpm_t)
> +auth_manage_all_files_except_auth_files(rpm_t)
> auth_dontaudit_read_shadow(rpm_t)
> auth_use_nsswitch(rpm_t)
>
> @@ -304,7 +304,7 @@ term_use_all_terms(rpm_script_t)
> auth_dontaudit_getattr_shadow(rpm_script_t)
> auth_use_nsswitch(rpm_script_t)
> # ideally we would not need this
> -auth_manage_all_files_except_shadow(rpm_script_t)
> +auth_manage_all_files_except_auth_files(rpm_script_t)
> auth_relabel_shadow(rpm_script_t)
>
> corecmd_exec_all_executables(rpm_script_t)
> diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te
> index fe1c377..775e5b1 100644
> --- a/policy/modules/admin/sosreport.te
> +++ b/policy/modules/admin/sosreport.te
> @@ -80,7 +80,7 @@ fs_list_inotifyfs(sosreport_t)
>
> # some config files do not have configfile attribute
> # sosreport needs to read various files on system
> -auth_read_all_files_except_shadow(sosreport_t)
> +auth_read_all_files_except_auth_files(sosreport_t)
> auth_use_nsswitch(sosreport_t)
>
> init_domtrans_script(sosreport_t)
> diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
> index d5aaf0e..c1eefd5 100644
> --- a/policy/modules/admin/sxid.te
> +++ b/policy/modules/admin/sxid.te
> @@ -66,7 +66,7 @@ fs_list_all(sxid_t)
>
> term_dontaudit_use_console(sxid_t)
>
> -auth_read_all_files_except_shadow(sxid_t)
> +auth_read_all_files_except_auth_files(sxid_t)
> auth_dontaudit_getattr_shadow(sxid_t)
>
> init_use_fds(sxid_t)
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index ff006ea..e1cd45f 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -49,6 +49,7 @@
> ## <li>init_script_file()</li>
> ## <li>init_script_domain()</li>
> ## <li>init_system_domain()</li>
> +## <li>files_auth_file()</li>
Please use tabs.
> ## <li>files_config_files()</li>
> ## <li>files_lock_file()</li>
> ## <li>files_mountpoint()</li>
> @@ -215,6 +216,33 @@ interface(`files_pid_file',`
>
> ########################################
> ## <summary>
> +## Make the specified type a
> +## authentication file.
> +## </summary>
> +## <desc>
> +## <p>
> +## Make the specified type an authentication file.
> +## This will also make the type usable for security files, making
> +## calls to files_security_file() redundant.
> +## </p>
> +## </desc>
I don't agree with this assessment. Security files are a superset of
authentication files. In fact, I think the interface should likely call
files_security_file(). Additionally, this interface is in the wrong
module, it should be in the authlogin module, otherwise those interfaces
would be breaking encapsulation.
> +## <param name="auth_file">
> +## <summary>
> +## Type to be used as a authentication file.
> +## </summary>
> +## </param>
> +## <infoflow type="none"/>
> +#
> +interface(`files_auth_file',`
> + gen_require(`
> + attribute auth_file_type;
> + ')
> + files_security_file($1)
> + typeattribute $1 auth_file_type;
> +')
> +
> +########################################
> +## <summary>
> ## Make the specified type a
> ## configuration file.
> ## </summary>
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index d91c62f..e709b9f 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -334,9 +334,9 @@ optional_policy(`
> fs_read_noxattr_fs_files(kernel_t)
> fs_read_noxattr_fs_symlinks(kernel_t)
>
> - auth_read_all_dirs_except_shadow(kernel_t)
> - auth_read_all_files_except_shadow(kernel_t)
> - auth_read_all_symlinks_except_shadow(kernel_t)
> + auth_read_all_dirs_except_auth_files(kernel_t)
> + auth_read_all_files_except_auth_files(kernel_t)
> + auth_read_all_symlinks_except_auth_files(kernel_t)
> ')
>
> tunable_policy(`nfs_export_all_rw',`
> @@ -345,7 +345,7 @@ optional_policy(`
> fs_read_noxattr_fs_files(kernel_t)
> fs_read_noxattr_fs_symlinks(kernel_t)
>
> - auth_manage_all_files_except_shadow(kernel_t)
> + auth_manage_all_files_except_auth_files(kernel_t)
> ')
> ')
>
> diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
> index be4de58..2de38b8 100644
> --- a/policy/modules/roles/secadm.te
> +++ b/policy/modules/roles/secadm.te
> @@ -30,7 +30,7 @@ mls_file_upgrade(secadm_t)
> mls_file_downgrade(secadm_t)
>
> auth_role(secadm_r, secadm_t)
> -auth_relabel_all_files_except_shadow(secadm_t)
> +auth_relabel_all_files_except_auth_files(secadm_t)
> auth_relabel_shadow(secadm_t)
>
> init_exec(secadm_t)
> diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
> index 8a74a83..d670c61 100644
> --- a/policy/modules/services/ftp.te
> +++ b/policy/modules/services/ftp.te
> @@ -261,7 +261,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
>
> tunable_policy(`allow_ftpd_full_access',`
> allow ftpd_t self:capability { dac_override dac_read_search };
> - auth_manage_all_files_except_shadow(ftpd_t)
> + auth_manage_all_files_except_auth_files(ftpd_t)
> ')
>
> tunable_policy(`ftp_home_dir',`
> @@ -394,7 +394,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
> tunable_policy(`sftpd_full_access',`
> allow sftpd_t self:capability { dac_override dac_read_search };
> fs_read_noxattr_fs_files(sftpd_t)
> - auth_manage_all_files_except_shadow(sftpd_t)
> + auth_manage_all_files_except_auth_files(sftpd_t)
> ')
>
> tunable_policy(`use_samba_home_dirs',`
> diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
> index 64c5f95..1201731 100644
> --- a/policy/modules/services/puppet.te
> +++ b/policy/modules/services/puppet.te
> @@ -132,7 +132,7 @@ sysnet_dns_name_resolve(puppet_t)
> sysnet_run_ifconfig(puppet_t, system_r)
>
> tunable_policy(`puppet_manage_all_files',`
> - auth_manage_all_files_except_shadow(puppet_t)
> + auth_manage_all_files_except_auth_files(puppet_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
> index 00fa514..c013749 100644
> --- a/policy/modules/services/rgmanager.te
> +++ b/policy/modules/services/rgmanager.te
> @@ -92,7 +92,7 @@ term_getattr_pty_fs(rgmanager_t)
> #term_use_ptmx(rgmanager_t)
>
> # needed by resources scripts
> -auth_read_all_files_except_shadow(rgmanager_t)
> +auth_read_all_files_except_auth_files(rgmanager_t)
> auth_dontaudit_getattr_shadow(rgmanager_t)
> auth_use_nsswitch(rgmanager_t)
>
> diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
> index b1468ed..958dc49 100644
> --- a/policy/modules/services/rpc.te
> +++ b/policy/modules/services/rpc.te
> @@ -158,7 +158,7 @@ tunable_policy(`nfs_export_all_rw',`
> dev_getattr_all_chr_files(nfsd_t)
>
> fs_read_noxattr_fs_files(nfsd_t)
> - auth_manage_all_files_except_shadow(nfsd_t)
> + auth_manage_all_files_except_auth_files(nfsd_t)
> ')
>
> tunable_policy(`nfs_export_all_ro',`
> @@ -170,8 +170,8 @@ tunable_policy(`nfs_export_all_ro',`
>
> fs_read_noxattr_fs_files(nfsd_t)
>
> - auth_read_all_dirs_except_shadow(nfsd_t)
> - auth_read_all_files_except_shadow(nfsd_t)
> + auth_read_all_dirs_except_auth_files(nfsd_t)
> + auth_read_all_files_except_auth_files(nfsd_t)
> ')
>
> ########################################
> diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
> index 39015ae..40463c8 100644
> --- a/policy/modules/services/rsync.te
> +++ b/policy/modules/services/rsync.te
> @@ -125,9 +125,9 @@ tunable_policy(`rsync_export_all_ro',`
> fs_read_noxattr_fs_files(rsync_t)
> fs_read_nfs_files(rsync_t)
> fs_read_cifs_files(rsync_t)
> - auth_read_all_dirs_except_shadow(rsync_t)
> - auth_read_all_files_except_shadow(rsync_t)
> - auth_read_all_symlinks_except_shadow(rsync_t)
> + auth_read_all_dirs_except_auth_files(rsync_t)
> + auth_read_all_files_except_auth_files(rsync_t)
> + auth_read_all_symlinks_except_auth_files(rsync_t)
> auth_tunable_read_shadow(rsync_t)
> ')
> auth_can_read_shadow_passwords(rsync_t)
> diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
> index e30bb63..06cc480 100644
> --- a/policy/modules/services/samba.te
> +++ b/policy/modules/services/samba.te
> @@ -450,18 +450,18 @@ tunable_policy(`samba_create_home_dirs',`
>
> tunable_policy(`samba_export_all_ro',`
> fs_read_noxattr_fs_files(smbd_t)
> - auth_read_all_dirs_except_shadow(smbd_t)
> - auth_read_all_files_except_shadow(smbd_t)
> + auth_read_all_dirs_except_auth_files(smbd_t)
> + auth_read_all_files_except_auth_files(smbd_t)
> fs_read_noxattr_fs_files(nmbd_t)
> - auth_read_all_dirs_except_shadow(nmbd_t)
> - auth_read_all_files_except_shadow(nmbd_t)
> + auth_read_all_dirs_except_auth_files(nmbd_t)
> + auth_read_all_files_except_auth_files(nmbd_t)
> ')
>
> tunable_policy(`samba_export_all_rw',`
> fs_read_noxattr_fs_files(smbd_t)
> - auth_manage_all_files_except_shadow(smbd_t)
> + auth_manage_all_files_except_auth_files(smbd_t)
> fs_read_noxattr_fs_files(nmbd_t)
> - auth_manage_all_files_except_shadow(nmbd_t)
> + auth_manage_all_files_except_auth_files(nmbd_t)
> userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
> ')
>
> diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
> index 3d8d1b3..dd82b1c 100644
> --- a/policy/modules/services/snmp.te
> +++ b/policy/modules/services/snmp.te
> @@ -99,7 +99,7 @@ storage_dontaudit_read_fixed_disk(snmpd_t)
> storage_dontaudit_read_removable_device(snmpd_t)
>
> auth_use_nsswitch(snmpd_t)
> -auth_read_all_dirs_except_shadow(snmpd_t)
> +auth_read_all_dirs_except_auth_files(snmpd_t)
>
> init_read_utmp(snmpd_t)
> init_dontaudit_write_utmp(snmpd_t)
> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> index 73554ec..7f224a2 100644
> --- a/policy/modules/system/authlogin.if
> +++ b/policy/modules/system/authlogin.if
> @@ -1169,12 +1169,12 @@ interface(`auth_delete_pam_console_data',`
> ## </summary>
> ## </param>
> #
> -interface(`auth_read_all_dirs_except_shadow',`
> +interface(`auth_read_all_dirs_except_auth_files',`
> gen_require(`
> - type shadow_t;
> + attribute auth_file_type;
> ')
>
> - files_read_all_dirs_except($1, $2 -shadow_t)
> + files_read_all_dirs_except($1, $2 -auth_file_type)
> ')
>
> ########################################
> @@ -1195,12 +1195,12 @@ interface(`auth_read_all_dirs_except_shadow',`
> ## </param>
> ## <rolecap/>
> #
> -interface(`auth_read_all_files_except_shadow',`
> +interface(`auth_read_all_files_except_auth_files',`
> gen_require(`
> - type shadow_t;
> + attribute auth_file_type;
> ')
>
> - files_read_all_files_except($1, $2 -shadow_t)
> + files_read_all_files_except($1, $2 -auth_file_type)
> ')
>
> ########################################
> @@ -1220,12 +1220,12 @@ interface(`auth_read_all_files_except_shadow',`
> ## </summary>
> ## </param>
> #
> -interface(`auth_read_all_symlinks_except_shadow',`
> +interface(`auth_read_all_symlinks_except_auth_files',`
> gen_require(`
> - type shadow_t;
> + attribute auth_file_type;
> ')
>
> - files_read_all_symlinks_except($1, $2 -shadow_t)
> + files_read_all_symlinks_except($1, $2 -auth_file_type)
> ')
>
> ########################################
> @@ -1246,7 +1246,7 @@ interface(`auth_read_all_symlinks_except_shadow',`
> ## </param>
> #
>
> -interface(`auth_relabel_all_files_except_shadow',`
> +interface(`auth_relabel_all_files_except_auth_files',`
> gen_require(`
> type shadow_t;
> ')
> @@ -1272,12 +1272,12 @@ interface(`auth_relabel_all_files_except_shadow',`
> ## </param>
> #
>
> -interface(`auth_rw_all_files_except_shadow',`
> +interface(`auth_rw_all_files_except_auth_files',`
> gen_require(`
> - type shadow_t;
> + attribute auth_file_type;
> ')
>
> - files_rw_all_files($1, $2 -shadow_t)
> + files_rw_all_files($1, $2 -auth_file_type)
> ')
>
> ########################################
> @@ -1298,12 +1298,12 @@ interface(`auth_rw_all_files_except_shadow',`
> ## </param>
> #
>
> -interface(`auth_manage_all_files_except_shadow',`
> +interface(`auth_manage_all_files_except_auth_files,`
> gen_require(`
> - type shadow_t;
> + attribute auth_file_type;
> ')
>
> - files_manage_all_files($1, $2 -shadow_t)
> + files_manage_all_files($1, $2 -auth_file_type)
> ')
None of these interface renames are permissible, as it breaks
compatibility. You need to add new interfaces, and deprecateto the
"except_shadow" interfaces (see libs_use_lib_files() for an example).
> ########################################
> diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
> index b7a5f00..00b9e8d 100644
> --- a/policy/modules/system/authlogin.te
> +++ b/policy/modules/system/authlogin.te
> @@ -1,10 +1,9 @@
> -policy_module(authlogin, 2.2.1)
> -
I don't know why you would be doing this.
> ########################################
> #
> # Declarations
> #
>
> +attribute auth_file_type;
> attribute can_read_shadow_passwords;
> attribute can_write_shadow_passwords;
> attribute can_relabelto_shadow_passwords;
> @@ -50,7 +49,7 @@ type pam_var_run_t;
> files_pid_file(pam_var_run_t)
>
> type shadow_t;
> -files_security_file(shadow_t)
> +files_auth_file(shadow_t)
> neverallow ~can_read_shadow_passwords shadow_t:file read;
> neverallow ~can_write_shadow_passwords shadow_t:file { create write };
> neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 15832c7..66aa503 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -142,8 +142,8 @@ ifdef(`distro_ubuntu',`
> ')
>
> tunable_policy(`allow_mount_anyfile',`
> - auth_read_all_dirs_except_shadow(mount_t)
> - auth_read_all_files_except_shadow(mount_t)
> + auth_read_all_dirs_except_auth_files(mount_t)
> + auth_read_all_files_except_auth_files(mount_t)
> files_mounton_non_security(mount_t)
> ')
>
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index 7ed9819..bef1885 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -323,8 +323,8 @@ selinux_compute_create_context(restorecond_t)
> selinux_compute_relabel_context(restorecond_t)
> selinux_compute_user_contexts(restorecond_t)
>
> -auth_relabel_all_files_except_shadow(restorecond_t )
> -auth_read_all_files_except_shadow(restorecond_t)
> +auth_relabel_all_files_except_auth_files(restorecond_t )
> +auth_read_all_files_except_auth_files(restorecond_t)
> auth_use_nsswitch(restorecond_t)
>
> locallogin_dontaudit_use_fds(restorecond_t)
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 4b2878a..a64b4e0 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -1133,9 +1133,9 @@ template(`userdom_admin_user_template',`
>
> auth_getattr_shadow($1_t)
> # Manage almost all files
> - auth_manage_all_files_except_shadow($1_t)
> + auth_manage_all_files_except_auth_files($1_t)
> # Relabel almost all files
> - auth_relabel_all_files_except_shadow($1_t)
> + auth_relabel_all_files_except_auth_files($1_t)
>
> init_telinit($1_t)
>
> @@ -1223,7 +1223,7 @@ template(`userdom_security_admin_template',`
> selinux_set_all_booleans($1)
> selinux_set_parameters($1)
>
> - auth_relabel_all_files_except_shadow($1)
> + auth_relabel_all_files_except_auth_files($1)
> auth_relabel_shadow($1)
>
> init_exec($1)
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2011-07-06 13:48 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-05 20:17 [refpolicy] [Fwd: SSSD Local Auth and SELinux support] Matthew Ife
2011-07-06 13:48 ` Christopher J. PeBenito [this message]
2011-07-06 18:24 ` Matthew Ife
2011-07-10 17:35 ` [refpolicy] [Fwd: SSSD Local Auth and SELinux support] Version 2 Matthew Ife
2011-07-11 12:22 ` Christopher J. PeBenito
2011-07-14 15:09 ` Matthew Ife
2011-07-18 18:12 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E1467C9.2090403@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.