Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EB7A1C43381 for ; Tue, 5 Mar 2019 22:35:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 735B820652 for ; Tue, 5 Mar 2019 22:35:33 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="fXh2vKDE" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726210AbfCEWfd (ORCPT ); Tue, 5 Mar 2019 17:35:33 -0500 Received: from mail-eopbgr700124.outbound.protection.outlook.com ([40.107.70.124]:10464 "EHLO NAM04-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726069AbfCEWfd (ORCPT ); Tue, 5 Mar 2019 17:35:33 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector1-tresys-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3Qm3hQqzrJ1VsS0C8Ql3HEYsgBjrAIFz3HsEvgZxuao=; b=fXh2vKDE/4mKMVsMpxeNmjAe5A03ZO08E6uUtWR8hL1miEnsERpFljfuhR36RkBj7peUWt8QhU1tuMvtdg6u0eTtZZh1co7lJYUQO/1psFnyZlVf6Rl+P8lCuR6BTOE9AS4NTkb31Kafkf6bPCdKEwbflSqlEhK+msaFZ0v/46o= Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by BN6PR15MB1444.namprd15.prod.outlook.com (10.172.151.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.16; Tue, 5 Mar 2019 22:33:51 +0000 Received: from BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::ec41:1dc7:5fd4:a07a]) by BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::ec41:1dc7:5fd4:a07a%7]) with mapi id 15.20.1665.020; Tue, 5 Mar 2019 22:33:51 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH] Update cron use to pam interface Thread-Topic: [PATCH] Update cron use to pam interface Thread-Index: AQHU06OBL0ZMWHuZQkCGCSHMPCw4bg== Date: Tue, 5 Mar 2019 22:33:50 +0000 Message-ID: <20190305223316.19127-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [173.8.5.193] x-clientproxiedby: BN6PR02CA0087.namprd02.prod.outlook.com (2603:10b6:405:60::28) To BN6PR15MB1507.namprd15.prod.outlook.com (2603:10b6:404:c6::19) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.20.1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 1e79f303-3e3f-46f9-9292-08d6a1baa3e9 x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1444; x-ms-traffictypediagnostic: BN6PR15MB1444: x-microsoft-exchange-diagnostics: =?iso-8859-1?Q?1;BN6PR15MB1444;23:RHzJ2vByrDzf/kSCSYS33L6I8W0GgZYtGHvAkLO?= =?iso-8859-1?Q?7Z9YEnXNJBzkwM+fVnOHpfqzshcBM2x2Hsjj+THEwEpcAJb9n4kBWWWj6U?= =?iso-8859-1?Q?yg6U+A1+lzXBMgLcK20LMT22s6OL7a7MVDyTeyrDkqkjShH5YD0GxWjZUT?= =?iso-8859-1?Q?O0woy9iiCfhaO6EMTLdtJEqTorEVC4iRW2joE2VPGYTDMhFHMafm6VNJb3?= =?iso-8859-1?Q?k8kL4p9YbiLMUf1uM1Tp/NMwRIW7IqZSVm95xR5AcDEqiCr7AzL9WroVu3?= =?iso-8859-1?Q?M5/D2oZgCM54fXy+C+kwbSeT1me06k2cXnf1NgrMSxMoDdeDrENpXBGH3k?= =?iso-8859-1?Q?rHrslr/n7LjEXPJ6lCWxXQbzdah5WE8xsK4mxq5bJc2dh4bR6Bx8IY/FmD?= =?iso-8859-1?Q?uOFIbnHrbbYp3uW4Af6LHunN36/vvlZl6g29Zzkfkcvq1shIKc6dCan9q6?= =?iso-8859-1?Q?aAFwN7iZgQCDMmTSse1Ic7KqYqzNJ0TLJPpEF7iZpOmkfw9Fj+oR+AbSM7?= =?iso-8859-1?Q?RrjIANp24JOne84nlWTPoNrGjih+8w8l9r0cRFNy0cTzw8LD/Jy+ZeBOiR?= =?iso-8859-1?Q?BWceUjH4OnUBuH/85jO/bkWxVcSF5xa8Jg/igQ6oAadoOlVqU3TrSpL2Ny?= =?iso-8859-1?Q?8tqfLEnewOLfKnf4NbGkiRtn6VLdhoQ8gsWYFnr5Fy5h/r9xkLbnES42K5?= =?iso-8859-1?Q?BhhfL4DjDbQeKopdTqqEnOc8VyOG6d5hUiA1zZSpDa8qC/1PEVUWHRaJgr?= =?iso-8859-1?Q?2SyxGeHkuHZlBlYlOU5Nc5LLzVzZqanaZUrq5izh3VJNzAdNsK+BXT48kp?= =?iso-8859-1?Q?438DPbQxtzFInva9qlXTivU8+vhgnNrKVVSOsDWo640+2QqakOWJc5vfFF?= =?iso-8859-1?Q?wnC5RiiVaJU14zAeo8QpFrXT2LvO66QynZrjRwyLMPVbrj+b6wN0Kgno+E?= =?iso-8859-1?Q?fLBc6egxUztJgA+CJvir8QH8c+9CogWd/UMQ1wzASAEDUguFi2WxtokYb3?= =?iso-8859-1?Q?YXRT+FJInQkoVOgHLU/MMfq6hum2Zsq1curNG1AQgASYPYm8FoN0jAF4v/?= =?iso-8859-1?Q?4Z4/oWZP//t55lqufBIGH3DHvQBc3/v+ec2F5tyKli+ExCsVI0WNh7owUo?= =?iso-8859-1?Q?+sVASSHdhEvlQkismRsNilZX0g4j+9fP0kYR33ot0lfBArr9AIQxO+qe7O?= =?iso-8859-1?Q?QtmHAb/+4k5a/yZZP7bHjLejdQQRnQJsnEpGAvoglrFbPVB67TwvZVMt1e?= =?iso-8859-1?Q?3vC+yXM2dd3RjQ94SXZWafNtKX6SAFwVuOuqZGw=3D=3D?= x-microsoft-antispam-prvs: x-forefront-prvs: 0967749BC1 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(39840400004)(346002)(396003)(366004)(376002)(136003)(189003)(199004)(15650500001)(68736007)(1076003)(50226002)(8936002)(105586002)(2906002)(106356001)(66066001)(36756003)(6916009)(97736004)(2351001)(102836004)(316002)(476003)(52116002)(486006)(386003)(6506007)(2616005)(305945005)(8676002)(7736002)(81166006)(26005)(81156014)(99286004)(186003)(86362001)(6486002)(256004)(6436002)(6116002)(53936002)(14454004)(5640700003)(6512007)(3846002)(508600001)(25786009)(71190400001)(71200400001)(14444005)(5660300002)(2501003);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1444;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: +ZcW4p3P7dLymB1WphcTI8HrE0hRS7NjI4gHAZmV+V6vdGhTrpceUpngbGUSUEk2QVmAiaebN8IJ3qwdHfoS+YV12hd2eyegj2j/cE/tm7dPPoOUppZj/bAzPG5P5QLTdtwZbmy12bCHcUXw0+Tv/CTuomuO1NkXCiSfVgqhRuBfrOJTAtODdyHJ0ZQNkw52k69iKget4lvtl9fz5tl6Ha4wKQD3FvbDQL9d8OHm2MoUA/3xfn5heq5nGT7iUaducoPahkzDih68peuhTWuWyymVn8FtrH684TTgegoH3FcvLXRu9bBel2dnAsJZE9gu6JBEnfzq441xguXmQv4J9qzkAxaYsaiZR8LSLM5xx8xES+mUxbCsDEKuQKzgt3TbPJ4Qr9kjjPng9yeehdcRno+lM6C9C+YrSMOr2tK48Pc= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1e79f303-3e3f-46f9-9292-08d6a1baa3e9 X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2019 22:33:50.9079 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1444 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org I'm seeing a many denials for cron related to faillog_t, lastlog_t and wtmp_t. These are all due to the fact cron is using pam (and my system is configured with pam_faillog). I have updated cron to use auth_use_pam interface to grant needed permissions. Additional change to allow systemd_logind dbus for cron. I have included many of the denials I'm seeing, but there are probably others I didn't capture. type=3DAVC msg=3Daudit(1551411001.389:1281): avc: denied { read write } f= or pid=3D8807 comm=3D"crond" name=3D"lastlog" dev=3D"dm-14" ino=3D102 scon= text=3Dsystem_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_= r:lastlog_t:s0 tclass=3Dfile permissive=3D1 type=3DAVC msg=3Daudit(1551411001.389:1281): avc: denied { open } for pi= d=3D8807 comm=3D"crond" path=3D"/var/log/lastlog" dev=3D"dm-14" ino=3D102 s= context=3Dsystem_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:obje= ct_r:lastlog_t:s0 tclass=3Dfile permissive=3D1 type=3DSYSCALL msg=3Daudit(1551411001.389:1281): arch=3Dc000003e syscall=3D= 2 success=3Dyes exit=3D3 a0=3D7f94f608c2ee a1=3D2 a2=3D0 a3=3D75646f6d6d617= 05f items=3D1 ppid=3D7345 pid=3D8807 auid=3D0 uid=3D0 gid=3D0 euid=3D0 suid= =3D0 fsuid=3D0 egid=3D0 sgid=3D0 fsgid=3D0 tty=3D(none) ses=3D5 comm=3D"cro= nd" exe=3D"/usr/sbin/crond" subj=3Dsystem_u:system_r:crond_t:s0-s0:c0.c1023= key=3D"logins" type=3DAVC msg=3Daudit(1551411001.389:1282): avc: denied { lock } for pi= d=3D8807 comm=3D"crond" path=3D"/var/log/lastlog" dev=3D"dm-14" ino=3D102 s= context=3Dsystem_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:obje= ct_r:lastlog_t:s0 tclass=3Dfile permissive=3D1 type=3DSYSCALL msg=3Daudit(1551411001.389:1282): arch=3Dc000003e syscall=3D= 72 success=3Dyes exit=3D0 a0=3D3 a1=3D6 a2=3D7ffc882a83d0 a3=3D75646f6d6d61= 705f items=3D0 ppid=3D7345 pid=3D8807 auid=3D0 uid=3D0 gid=3D0 euid=3D0 sui= d=3D0 fsuid=3D0 egid=3D0 sgid=3D0 fsgid=3D0 tty=3D(none) ses=3D5 comm=3D"cr= ond" exe=3D"/usr/sbin/crond" subj=3Dsystem_u:system_r:crond_t:s0-s0:c0.c102= 3 key=3D(null) type=3DAVC msg=3Daudit(1551411001.389:1283): avc: denied { write } for p= id=3D8807 comm=3D"crond" name=3D"wtmp" dev=3D"dm-14" ino=3D103 scontext=3Ds= ystem_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_r:wtmp_t= :s0 tclass=3Dfile permissive=3D1 type=3DAVC msg=3Daudit(1551411001.389:1283): avc: denied { open } for pi= d=3D8807 comm=3D"crond" path=3D"/var/log/wtmp" dev=3D"dm-14" ino=3D103 scon= text=3Dsystem_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_= r:wtmp_t:s0 tclass=3Dfile permissive=3D1 type=3DAVC msg=3Daudit(1551412201.489:1513): avc: denied { getattr } for = pid=3D7323 comm=3D"systemd-logind" path=3D"/proc/9183/cgroup" dev=3D"proc"= ino=3D49836 scontext=3Dsystem_u:system_r:systemd_logind_t:s0 tcontext=3Dsy= stem_u:system_r:crond_t:s0-s0:c0.c1023 tclass=3Dfile permissive=3D1 type=3DAVC msg=3Daudit(1551412201.511:1514): avc: denied { read write } f= or pid=3D9183 comm=3D"crond" name=3D"lastlog" dev=3D"dm-14" ino=3D102 scon= text=3Dsystem_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_= r:lastlog_t:s0 tclass=3Dfile permissive=3D1 type=3DAVC msg=3Daudit(1551412201.511:1514): avc: denied { open } for pi= d=3D9183 comm=3D"crond" path=3D"/var/log/lastlog" dev=3D"dm-14" ino=3D102 s= context=3Dsystem_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:obje= ct_r:lastlog_t:s0 tclass=3Dfile permissive=3D1 type=3DAVC msg=3Daudit(1551412201.511:1515): avc: denied { lock } for pi= d=3D9183 comm=3D"crond" path=3D"/var/log/lastlog" dev=3D"dm-14" ino=3D102 s= context=3Dsystem_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:obje= ct_r:lastlog_t:s0 tclass=3Dfile permissive=3D1 type=3DSYSCALL msg=3Daudit(1551412201.511:1515): arch=3Dc000003e syscall=3D= 72 success=3Dyes exit=3D0 a0=3D3 a1=3D6 a2=3D7ffc882a83d0 a3=3D75646f6d6d61= 705f items=3D0 ppid=3D7345 pid=3D9183 auid=3D0 uid=3D0 gid=3D0 euid=3D0 sui= d=3D0 fsuid=3D0 egid=3D0 sgid=3D0 fsgid=3D0 tty=3D(none) ses=3D7 comm=3D"cr= ond" exe=3D"/usr/sbin/crond" subj=3Dsystem_u:system_r:crond_t:s0-s0:c0.c102= 3 key=3D(null) type=3DUSER_START msg=3Daudit(1551412201.511:1516): pid=3D9183 uid=3D0 auid= =3D0 ses=3D7 subj=3Dsystem_u:system_r:crond_t:s0-s0:c0.c1023 msg=3D'op=3DPA= M:session_open grantors=3Dpam_loginuid,pam_keyinit,pam_limits,pam_systemd,p= am_lastlog acct=3D"root" exe=3D"/usr/sbin/crond" hostname=3D? addr=3D? term= inal=3Dcron res=3Dsuccess' type=3DCRED_REFR msg=3Daudit(1551412201.512:1517): pid=3D9183 uid=3D0 auid= =3D0 ses=3D7 subj=3Dsystem_u:system_r:crond_t:s0-s0:c0.c1023 msg=3D'op=3DPA= M:setcred grantors=3Dpam_env,pam_faillock,pam_unix acct=3D"root" exe=3D"/us= r/sbin/crond" hostname=3D? addr=3D? terminal=3Dcron res=3Dsuccess' type=3DCRED_DISP msg=3Daudit(1551412201.524:1521): pid=3D9183 uid=3D0 auid= =3D0 ses=3D7 subj=3Dsystem_u:system_r:crond_t:s0-s0:c0.c1023 msg=3D'op=3DPA= M:setcred grantors=3Dpam_env,pam_faillock,pam_unix acct=3D"root" exe=3D"/us= r/sbin/crond" hostname=3D? addr=3D? terminal=3Dcron res=3Dsuccess' type=3DUSER_END msg=3Daudit(1551412201.525:1522): pid=3D9183 uid=3D0 auid= =3D0 ses=3D7 subj=3Dsystem_u:system_r:crond_t:s0-s0:c0.c1023 msg=3D'op=3DPA= M:session_close grantors=3Dpam_loginuid,pam_keyinit,pam_limits,pam_systemd,= pam_lastlog acct=3D"root" exe=3D"/usr/sbin/crond" hostname=3D? addr=3D? ter= minal=3Dcron res=3Dsuccess' type=3DUSER_AVC msg=3Daudit(1551629402.000:21914): pid=3D7387 uid=3D81 auid= =3D4294967295 ses=3D4294967295 subj=3Dsystem_u:system_r:system_dbusd_t:s0-s= 0:c0.c1023 msg=3D'avc: denied { send_msg } for msgtype=3Dmethod_call inte= rface=3Dorg.freedesktop.login1.Manager member=3DCreateSession dest=3Dorg.fr= eedesktop.login1 spid=3D6407 tpid=3D7395 scontext=3Dsystem_u:system_r:crond= _t:s0-s0:c0.c1023 tcontext=3Dsystem_u:system_r:systemd_logind_t:s0 tclass= =3Ddbus exe=3D"/usr/bin/dbus-daemon" sauid=3D81 hostname=3D? addr=3D? term= inal=3D?' Signed-off-by: Dave Sugar --- policy/modules/services/cron.te | 4 ++-- policy/modules/system/authlogin.if | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron= .te index 3cb4cd65..4c2bccf4 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -310,9 +310,8 @@ init_start_all_units(system_cronjob_t) init_get_generic_units_status(system_cronjob_t) init_get_system_status(system_cronjob_t) =20 -auth_domtrans_chk_passwd(crond_t) auth_manage_var_auth(crond_t) -auth_use_nsswitch(crond_t) +auth_use_pam(crond_t) =20 logging_send_audit_msgs(crond_t) logging_send_syslog_msg(crond_t) @@ -434,6 +433,7 @@ optional_policy(` ') =20 optional_policy(` + systemd_dbus_chat_logind(crond_t) systemd_write_inherited_logind_sessions_pipes(crond_t) ') =20 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/aut= hlogin.if index 0153ab07..fe9ca3bb 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -51,10 +51,9 @@ interface(`auth_use_pam',` auth_domtrans_chk_passwd($1) auth_domtrans_upd_passwd($1) auth_dontaudit_read_shadow($1) - auth_read_login_records($1) - auth_append_login_records($1) auth_rw_lastlog($1) auth_rw_faillog($1) + auth_rw_login_records($1) auth_setattr_faillog_files($1) auth_exec_pam($1) auth_use_nsswitch($1) --=20 2.20.1