From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 4 Apr 2013 15:23:45 -0400 Subject: [refpolicy] [PATCH v2 1/1] chfn_t reads in file context information and executes nscd In-Reply-To: <20130404165541.GA12515@siphos.be> References: <20130404165541.GA12515@siphos.be> Message-ID: <515DD341.4070005@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/04/13 12:55, Sven Vermeulen wrote: > The chsh application (which runs in the chfn_t domain) requires read access on > the file context definitions. If not, the following error occurs: Merged. > Changing the login shell for root > Enter the new value, or press ENTER for the default > Login Shell [/bin/zsh]: /bin/bash > chsh: failure while writing changes to /etc/passwd > > The following AVC denials are shown: > > Jan 23 20:23:43 lain kernel: [20378.806719] type=1400 audit(1358969023.507:585): > avc: denied { search } for pid=18281 comm="chsh" name="selinux" dev="dm-0" > ino=23724520 scontext=staff_u:sysadm_r:chfn_t > tcontext=system_u:object_r:selinux_config_t tclass=dir > > In permissive mode, this goes up to: > > Jan 23 20:22:15 lain kernel: [20290.691128] type=1400 audit(1358968935.217:566): > avc: denied { open } for pid=18195 comm="chsh" > path="/etc/selinux/strict/contexts/files/file_contexts" dev="dm-0" ino=23726403 > scontext=staff_u:sysadm_r:chfn_t tcontext=staff_u:object_r:file_context_t > tclass=file > > Hence, adding in seutil_read_file_contexts(). > > A second error is that chsh, if available, wants to execute nscd: > > Changing the login shell for root > Enter the new value, or press ENTER for the default > Login Shell [/bin/sh]: /bin/bash > chsh: cannot execute /usr/sbin/nscd: Permission denied > chsh: nscd exited with status 126 > chsh: Failed to flush the nscd cache. > chsh: cannot execute /usr/sbin/nscd: Permission denied > chsh: nscd exited with status 126 > chsh: Failed to flush the nscd cache. > chsh: cannot execute /usr/sbin/nscd: Permission denied > chsh: nscd exited with status 126 > chsh: Failed to flush the nscd cache. > > Similar to most other user admin utilities, we grant it the rights to run nscd. > > Changes since v1 > - Removed seutil_dontaudit_search_config() call > > Signed-off-by: Sven Vermeulen > --- > policy/modules/admin/usermanage.te | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te > index d555767..410f0d5 100644 > --- a/policy/modules/admin/usermanage.te > +++ b/policy/modules/admin/usermanage.te > @@ -125,14 +125,17 @@ miscfiles_read_localization(chfn_t) > > logging_send_syslog_msg(chfn_t) > > -# uses unix_chkpwd for checking passwords > -seutil_dontaudit_search_config(chfn_t) > +seutil_read_file_contexts(chfn_t) > > userdom_use_unpriv_users_fds(chfn_t) > # user generally runs this from their home directory, so do not audit a search > # on user home dir > userdom_dontaudit_search_user_home_content(chfn_t) > > +optional_policy(` > + nscd_run(chfn_t, chfn_roles) > +') > + > ######################################## > # > # Crack local policy > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com