Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.5 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 06EF2C43387 for ; Sun, 6 Jan 2019 19:14:44 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id CDBCC20859 for ; Sun, 6 Jan 2019 19:14:43 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="UItre/Fw" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726135AbfAFTOn (ORCPT ); Sun, 6 Jan 2019 14:14:43 -0500 Received: from mail-qk1-f177.google.com ([209.85.222.177]:35723 "EHLO mail-qk1-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726041AbfAFTOn (ORCPT ); Sun, 6 Jan 2019 14:14:43 -0500 Received: by mail-qk1-f177.google.com with SMTP id w204so24286434qka.2 for ; Sun, 06 Jan 2019 11:14:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=GcAJ8NMlX4ItEOHv6r+i2FYe5EL6G3tGqgt6oclcSJ0=; b=UItre/FwfEeKrOWiAr6kcieO5vcqzM8JPQrAz7U1sgsg2y8SdxaWNGxHv0acsrfzi+ rGtYDc+NC+yCvsz14BJ469rK+Szmp8GTOhpsF32u5OLpC9h6OWsq7nWQ7Y23vyQNld5/ U7R/mvlV/y1qEDpHmczHjNGYxI5Tkem7z8Xhc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=GcAJ8NMlX4ItEOHv6r+i2FYe5EL6G3tGqgt6oclcSJ0=; b=jpkdPkb9RYHLZLh1nsXzkop/6zo1IFtwFEGpy5znw56e/P7T1jfIFJmYbE/3DJKSil cCwo/rljcBMp++632OphdqW9jAawI2LCTSGtjr22iUvYF0tC2luctEL+Dbt/ooRYR9DN bMue+ft+LAuvL2sfPqIQMAtINJozjHJW2h71yIsVQxbEaabNbuNLpFcIx3jphpnWu96S NiDoqpis7Uk3XKWn8v1EiktZU8day3BwEHNuJLvrUKnQV23q8uS+GL+o/Dtyu1svDaW0 rF9BWiTiemkf54Jl2GGLior1ZTblpk0cs3Oh7/X7zgh4pq75nvChc/cC1hg+lm6/XCPN VAHg== X-Gm-Message-State: AJcUuke98MJn+ccijd+zqN5gPfjHQqPxHPJgxSlHKvDCELapPSrO0/B2 MdqHuZ7fSS6+pcOFaZgxkQcL9rrnjw0= X-Google-Smtp-Source: ALg8bN4G/UogF+nGFBKmWMy19IPvFRLvZwi9v6DGjT1xXNpjL0QFyPbbp7qAss+Wmi0w4/ir+2QNKw== X-Received: by 2002:a37:360a:: with SMTP id d10mr54463121qka.40.1546802081821; Sun, 06 Jan 2019 11:14:41 -0800 (PST) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id o65sm30065319qkl.11.2019.01.06.11.14.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 06 Jan 2019 11:14:41 -0800 (PST) Subject: Re: nss-systemd D-Bus call caused by getpwent To: Dominick Grift , Nicolas Iooss Cc: selinux-refpolicy@vger.kernel.org References: <87lg3y8ckd.fsf@gmail.com> From: Chris PeBenito Message-ID: Date: Sun, 6 Jan 2019 13:56:19 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <87lg3y8ckd.fsf@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/6/19 2:33 AM, Dominick Grift wrote: > Nicolas Iooss writes: > >> Hi, >> While testing the current master branch of refpolicy on Arch Linux, I >> encountered the following denial: >> >> type=USER_AVC msg=audit(1546729287.319:440): pid=312 uid=81 >> auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t >> msg='avc: denied { send_msg } for msgtype=method_call >> interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers >> dest=org.freedesktop.systemd1 spid=14828 tpid=1 >> scontext=system_u:system_r:sshd_t tcontext=system_u:system_r:init_t >> tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 >> hostname=? addr=? terminal=?' >> >> My OpenSSH server is calling GetDynamicUsers() exposed by systemd over >> D-Bus. This call comes from systemd's NSSwitch module and occurs when >> OpenSSH calls setpwent() to get information about a user >> (https://github.com/systemd/systemd/blob/v240/src/nss-systemd/nss-systemd.c#L676). >> How should this be handled by refpolicy? For example, would adding a >> call to init_dbus_chat(nsswitch_domain) in a ifdef(`init_systemd') >> block be acceptable? This would allow any callers of >> auth_use_nsswitch() to be able to communicate with systemd's PID 1 >> over D-Bus. > > FWIW I have this in my nss macro too, However I have two nss macros, one > base macro and one superset that has this call amongst others > (mymachines resolve etc) I only give nss base access to my confined > users since they will never have access to any objects associated with > userns uids/gids anyways so they shouldnt get into a position where they > need to resolve them (except confined sysadm) I've been dissatisfied with what auth_use_nsswitch() and auth_use_pam() have turned into, as I think they're too big. It's not an easy thing to define due them being inherently extensible. What you describe is one possible good direction to go towards. I was also concerned about all of the network access that is allowed by it and thought about splitting out the local accesses into a base interface. -- Chris PeBenito