Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58356C43387 for ; Fri, 21 Dec 2018 10:34:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 1D69B218FD for ; Fri, 21 Dec 2018 10:34:24 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="C4m/FqDA" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732765AbeLUKeX (ORCPT ); Fri, 21 Dec 2018 05:34:23 -0500 Received: from mail-ed1-f68.google.com ([209.85.208.68]:33515 "EHLO mail-ed1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389775AbeLUKeW (ORCPT ); Fri, 21 Dec 2018 05:34:22 -0500 Received: by mail-ed1-f68.google.com with SMTP id p6so4281709eds.0 for ; Fri, 21 Dec 2018 02:34:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=KA/7jzBca3S9njt2fIjxZYtSlaRIWPdhb5FNeA6v0NQ=; b=C4m/FqDAReZtKUcrLrk/WIi18PdBVKgVR5np4nYO55jx+RhR8OFr5PwvVi8/akxfSH DrzmUBTkEQR5AmYjFuHPtCf3ID1Sk7R5TglnBPPloqwnFvhseD6fltcbbhhCB5PqPMuv 4UCXyUJtLU138Gn6Cgzz7nalYTGdK8jdDcOxu9782rIUQVvO52SdkMt8GDKeeN6HQiGY tq/fHW1APh+gz10GnaNVcjcPSv7z1XMqaXUVuJxG3ld6d6uZsvFonkf8/frqyDHn3cDg Xq55QC2irPLH19WpS/NbWpAJLC4+D7f8H+PZnlCd69YOu45UUyc1NoSM1mxGjqACCxqz NpsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to:user-agent; bh=KA/7jzBca3S9njt2fIjxZYtSlaRIWPdhb5FNeA6v0NQ=; b=e4Ole+B2jCJB3wt9f2Mp9rtqnlklO/hjTnsl0qdEcrR089SFouJwGUFlpVGbuVH97M jOUNPziVkky8jgJWidd0Q+vSgsM3q+5cZdDF4jo4usJ2dOaXgTV5zUJfRX7bc8qQkOnR EhWWxL1IDhxVJ+YgMIfNuv4g4C4hKz/W+QpSjSkZMEEdkKMmyeyj9DsMZzjiWerGqcRM /PX+oszQEz1IRoPQG6rKwfBjAHKrjDKbK9pvlMw7aQkcEHidzYctcYXReZ4URd7lpJrw 2zjIioPB/Fb3dyanPvYOUatUwu4UwQawXAzHuqrX3EWw2gWlmu/cbbuJs5rlSQhPxaPs hd2Q== X-Gm-Message-State: AA+aEWbiUCXhYyYUeAzUxhUd73QbPJ0+k2fFQloUTz9ChJOTJUt7AHU0 T2Mh1mR6lWSeMiQqvHTv+5s= X-Google-Smtp-Source: AFSGD/WS2jrqsouKJ5PK/A4BZLXOMNU3pCfV/YN4TUfHCVVnhkFEsVQtXo6pIEC1m5eBBjPKrXVeRQ== X-Received: by 2002:a17:906:41cc:: with SMTP id g12-v6mr1723349ejl.219.1545388459789; Fri, 21 Dec 2018 02:34:19 -0800 (PST) Received: from brutus.lan ([2001:985:d55d::438]) by smtp.gmail.com with ESMTPSA id e26-v6sm3506432ejb.29.2018.12.21.02.34.18 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 21 Dec 2018 02:34:18 -0800 (PST) Date: Fri, 21 Dec 2018 11:34:16 +0100 From: Dominick Grift To: David Sugar Cc: "selinux-refpolicy@vger.kernel.org" Subject: Re: [PATCH 2/2] pam_faillock creates files in /run/faillock Message-ID: <20181221103416.GA4520@brutus.lan> Mail-Followup-To: David Sugar , "selinux-refpolicy@vger.kernel.org" References: <20181221014026.2867-1-dsugar@tresys.com> <20181221014026.2867-2-dsugar@tresys.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="UlVJffcvxoiEqYs2" Content-Disposition: inline In-Reply-To: <20181221014026.2867-2-dsugar@tresys.com> User-Agent: Every email client sucks, this one just sucks less. X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org --UlVJffcvxoiEqYs2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Dec 21, 2018 at 01:41:25AM +0000, David Sugar wrote: > These are changes needed when pam_fallock created files in /run/faillock > (which is labeled faillog_t). sudo and xdm (and probably other domains) > will create files in this directory for successful and failed logins > attempts. The pam stuff has become a bit broken in my view. We use to use auth_use_pam() for these kinds of things but the interface wa= s forgotten and not updated properly. So for example sudo does not even call auth_use_pam() and a lot of stuff wa= s added directly to the login_pgm domain that should have been added to aut= h_use_pam() instead. My opinion is that this belongs in auth_use_pam() >=20 > type=3DAVC msg=3Daudit(1545153126.899:210): avc: denied { search } for = pid=3D8448 comm=3D"lightdm" name=3D"faillock" dev=3D"tmpfs" ino=3D39318 sco= ntext=3Dsystem_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_r= :faillog_t:s0 tclass=3Ddir permissive=3D1 > type=3DAVC msg=3Daudit(1545153131.090:214): avc: denied { write } for p= id=3D8448 comm=3D"lightdm" name=3D"faillock" dev=3D"tmpfs" ino=3D39318 scon= text=3Dsystem_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_r:= faillog_t:s0 tclass=3Ddir permissive=3D1 > type=3DAVC msg=3Daudit(1545153131.090:214): avc: denied { add_name } fo= r pid=3D8448 comm=3D"lightdm" name=3D"dsugar" scontext=3Dsystem_u:system_r:= xdm_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_r:faillog_t:s0 tclass=3Ddir= permissive=3D1 > type=3DAVC msg=3Daudit(1545153131.090:214): avc: denied { create } for = pid=3D8448 comm=3D"lightdm" name=3D"dsugar" scontext=3Dsystem_u:system_r:xd= m_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_r:faillog_t:s0 tclass=3Dfile = permissive=3D1 > type=3DAVC msg=3Daudit(1545153131.091:215): avc: denied { setattr } for= pid=3D8448 comm=3D"lightdm" name=3D"dsugar" dev=3D"tmpfs" ino=3D87599 scon= text=3Dsystem_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_r:= faillog_t:s0 tclass=3Dfile permissive=3D1 >=20 > type=3DAVC msg=3Daudit(1545167205.531:626): avc: denied { search } for = pid=3D8264 comm=3D"sudo" name=3D"faillock" dev=3D"tmpfs" ino=3D35405 sconte= xt=3Dsysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext= =3Dsystem_u:object_r:faillog_t:s0 tclass=3Ddir permissive=3D1 > type=3DAVC msg=3Daudit(1545167205.531:627): avc: denied { write } for p= id=3D8264 comm=3D"sudo" name=3D"faillock" dev=3D"tmpfs" ino=3D35405 scontex= t=3Dsysadm_u:sysadm_r:cleaner_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=3D= system_u:object_r:faillog_t:s0 tclass=3Ddir permissive=3D1 > type=3DAVC msg=3Daudit(1545167205.531:627): avc: denied { add_name } fo= r pid=3D8264 comm=3D"sudo" name=3D"root" scontext=3Dsysadm_u:sysadm_r:clean= er_applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_r:faillog_t= :s0 tclass=3Ddir permissive=3D1 > type=3DAVC msg=3Daudit(1545167205.531:627): avc: denied { create } for = pid=3D8264 comm=3D"sudo" name=3D"root" scontext=3Dsysadm_u:sysadm_r:cleaner= _applyconfig_sudo_t:s0-s0:c0.c1023 tcontext=3Dsysadm_u:object_r:faillog_t:s= 0 tclass=3Dfile permissive=3D1 >=20 > Signed-off-by: Dave Sugar > --- > policy/modules/admin/sudo.if | 1 + > policy/modules/services/xserver.te | 1 + > policy/modules/system/authlogin.if | 20 ++++++++++++++++++++ > 3 files changed, 22 insertions(+) >=20 > diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if > index 7661a2f3..5fab0d04 100644 > --- a/policy/modules/admin/sudo.if > +++ b/policy/modules/admin/sudo.if > @@ -113,6 +113,7 @@ template(`sudo_role_template',` > term_relabel_all_ttys($1_sudo_t) > term_relabel_all_ptys($1_sudo_t) > =20 > + auth_create_faillog($1_sudo_t) > auth_run_chk_passwd($1_sudo_t, $2) > # sudo stores a token in the pam_pid directory > auth_manage_pam_pid($1_sudo_t) > diff --git a/policy/modules/services/xserver.te b/policy/modules/services= /xserver.te > index 12ad3a87..fd89a95b 100644 > --- a/policy/modules/services/xserver.te > +++ b/policy/modules/services/xserver.te > @@ -481,6 +481,7 @@ term_setattr_console(xdm_t) > term_use_unallocated_ttys(xdm_t) > term_setattr_unallocated_ttys(xdm_t) > =20 > +auth_create_faillog(xdm_t) > auth_domtrans_pam_console(xdm_t) > auth_manage_pam_pid(xdm_t) > auth_manage_pam_console_data(xdm_t) > diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/a= uthlogin.if > index 7f8c002e..5521aec3 100644 > --- a/policy/modules/system/authlogin.if > +++ b/policy/modules/system/authlogin.if > @@ -744,6 +744,26 @@ interface(`auth_append_faillog',` > allow $1 faillog_t:file append_file_perms; > ') > =20 > +######################################## > +## > +## Create fail log lock (in /run/faillock). > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`auth_create_faillog',` > + gen_require(` > + type faillog_t; > + ') > + > + auth_rw_faillog($1) > + create_files_pattern($1, faillog_t, faillog_t) > + setattr_files_pattern($1, faillog_t, faillog_t) > +') > + > ######################################## > ## > ## Read and write the login failure log. > --=20 > 2.19.2 >=20 --=20 Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02 Dominick Grift --UlVJffcvxoiEqYs2 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAlwcwaQACgkQJXSOVTf5 R2mdKgv/Wmo6ddkK4BOEvgXo98DBBNZBtDzKy5FQuRsSdymw04RBVTXuBPxMChB6 lmkkGfVCC1eTZKxzHh0cr8YEWtsdIXHajSOMyt6OdJGmxcmLFl16IZjXx3Yfxf0L 1qIuvvcFvxAIJnDKhOIU8Z7TlE5iPpDxZ+MQOkrNOFmdUMd97uK0uhTlJSiyPsyD mWZyelMFtPw9Ipqo8w2tVpTxDutm7+Zlm8Wi4XkAjafb4kBdKvDXnKRbkqzxhiXy zZ1P9lmjTXZQBQk4vbvlYDIzpFB2UHz9wvGHycyuMka30HqSKqXTVfFD/eAfGXG2 pOgkjBOWGtxvvVx0w/62TxSHi79XgWmWwthmvixSClhdXLbiqfD+7bFdfm1zDD8a 4Q2U3WFOyk1xOIbRUpCWaHa4XmWGpIi8LtzcyU2WzljV4QllDVkYASgciNufSq5s WLY/lCLEgXyjcZrav/Uq9cUgb/VunX/ZnWL9QGPGTQMO/tjmWyQ/6CKqRAL61q1w zWiRFdz+ =1rk5 -----END PGP SIGNATURE----- --UlVJffcvxoiEqYs2--