All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [PATCH v2 1/1] chfn_t reads in file context information and executes nscd
@ 2013-04-04 16:55 Sven Vermeulen
  2013-04-04 19:23 ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Sven Vermeulen @ 2013-04-04 16:55 UTC (permalink / raw)
  To: refpolicy

The chsh application (which runs in the chfn_t domain) requires read access on
the file context definitions. If not, the following error occurs:

Changing the login shell for root
Enter the new value, or press ENTER for the default
	Login Shell [/bin/zsh]: /bin/bash
chsh: failure while writing changes to /etc/passwd

The following AVC denials are shown:

Jan 23 20:23:43 lain kernel: [20378.806719] type=1400 audit(1358969023.507:585):
avc:  denied  { search } for  pid=18281 comm="chsh" name="selinux" dev="dm-0"
ino=23724520 scontext=staff_u:sysadm_r:chfn_t
tcontext=system_u:object_r:selinux_config_t tclass=dir

In permissive mode, this goes up to:

Jan 23 20:22:15 lain kernel: [20290.691128] type=1400 audit(1358968935.217:566):
avc:  denied  { open } for  pid=18195 comm="chsh"
path="/etc/selinux/strict/contexts/files/file_contexts" dev="dm-0" ino=23726403
scontext=staff_u:sysadm_r:chfn_t tcontext=staff_u:object_r:file_context_t
tclass=file

Hence, adding in seutil_read_file_contexts().

A second error is that chsh, if available, wants to execute nscd:

Changing the login shell for root
Enter the new value, or press ENTER for the default
        Login Shell [/bin/sh]: /bin/bash
chsh: cannot execute /usr/sbin/nscd: Permission denied
chsh: nscd exited with status 126
chsh: Failed to flush the nscd cache.
chsh: cannot execute /usr/sbin/nscd: Permission denied
chsh: nscd exited with status 126
chsh: Failed to flush the nscd cache.
chsh: cannot execute /usr/sbin/nscd: Permission denied
chsh: nscd exited with status 126
chsh: Failed to flush the nscd cache.

Similar to most other user admin utilities, we grant it the rights to run nscd.

Changes since v1
- Removed seutil_dontaudit_search_config() call

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/usermanage.te | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index d555767..410f0d5 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -125,14 +125,17 @@ miscfiles_read_localization(chfn_t)
 
 logging_send_syslog_msg(chfn_t)
 
-# uses unix_chkpwd for checking passwords
-seutil_dontaudit_search_config(chfn_t)
+seutil_read_file_contexts(chfn_t)
 
 userdom_use_unpriv_users_fds(chfn_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
 userdom_dontaudit_search_user_home_content(chfn_t)
 
+optional_policy(`
+	nscd_run(chfn_t, chfn_roles)
+')
+
 ########################################
 #
 # Crack local policy
-- 
1.8.1.5

^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-04-04 19:23 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-04-04 16:55 [refpolicy] [PATCH v2 1/1] chfn_t reads in file context information and executes nscd Sven Vermeulen
2013-04-04 19:23 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.