Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 006F1C43381 for ; Wed, 27 Mar 2019 01:50:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A6DFD2087E for ; Wed, 27 Mar 2019 01:50:50 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="r3crUCft" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727452AbfC0Buu (ORCPT ); Tue, 26 Mar 2019 21:50:50 -0400 Received: from mail-eopbgr770118.outbound.protection.outlook.com ([40.107.77.118]:37957 "EHLO NAM02-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726922AbfC0Buu (ORCPT ); Tue, 26 Mar 2019 21:50:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector1-tresys-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZXgaVFA/0k3TxXPp/HXD6P3b889tvpk7ZAPg2pFA+eY=; b=r3crUCft+09+0j6ZktwcWwsdW4y2Et1KIQ6GDDF4u9/7xDhlT7+0Q+370m1IMSXqSDGsE3YjkUK7hBWwcu/8JCd/7yEvWGkfpaIsKRhyeq+OFrqra2+VDb59TUW4cNR47Hq3eE30RlPD8hdyEXW2uKjKTTpCEtIncSDSFx8qtTE= Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by BN6PR15MB1890.namprd15.prod.outlook.com (10.174.117.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1730.18; Wed, 27 Mar 2019 01:50:45 +0000 Received: from BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::ec41:1dc7:5fd4:a07a]) by BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::ec41:1dc7:5fd4:a07a%8]) with mapi id 15.20.1730.019; Wed, 27 Mar 2019 01:50:45 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH] Denial of cryptsetup reading cracklib database Thread-Topic: [PATCH] Denial of cryptsetup reading cracklib database Thread-Index: AQHU5D99I6O9Sr/G2EiXCUBeFWhOmg== Date: Wed, 27 Mar 2019 01:50:44 +0000 Message-ID: <20190327015033.10907-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [96.244.17.66] x-clientproxiedby: MN2PR15CA0024.namprd15.prod.outlook.com (2603:10b6:208:1b4::37) To BN6PR15MB1507.namprd15.prod.outlook.com (2603:10b6:404:c6::19) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.20.1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: ac066df6-ef43-42c0-0555-08d6b256a029 x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(5600127)(711020)(4605104)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1890; x-ms-traffictypediagnostic: BN6PR15MB1890: x-microsoft-antispam-prvs: x-forefront-prvs: 0989A7979C x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(396003)(136003)(39840400004)(346002)(366004)(376002)(189003)(199004)(6436002)(97736004)(508600001)(21480400003)(2616005)(66066001)(2351001)(476003)(486006)(81156014)(8936002)(68736007)(25786009)(7736002)(50226002)(316002)(186003)(8676002)(6916009)(14454004)(3846002)(2906002)(2501003)(105586002)(86362001)(26005)(256004)(14444005)(81166006)(6486002)(52116002)(305945005)(6116002)(1076003)(99286004)(102836004)(71190400001)(6506007)(386003)(71200400001)(6512007)(5660300002)(5640700003)(36756003)(106356001)(53936002);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1890;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: PWaQ8+N8tTkatcyize6IivCTBdqBNHlGioXoFkzdB+RZExAh2KWP1rycW2BEj2Cv47+rbG7ym6HbeVhLZHW3iSpi+aJKKUmOcFzUKNvqMolL7tx0d1QYlB/3TOjo4FEyHD13BX+8NjnPJJgKyj+z2YzwrYRspos+EPoyb9dcA5B5QObvYiI3vKPdMkmFJ4CCkDgRskIxPM8/ZfrRYpzv6GjpoLh6k7IQGa/7V4su3BmWA742CpSLeJUjTRRKBsVDV53ZU5A7wCjp4g0h7A1syKu7x8t0Nc0atFuGhVg2LIxXJh4GhUxjr/yI87Drn4a3sWRLevrf8TN2erekJ49lUjxTngs0f8V3XlKVLJfMMw61uL7EpvNRFmTrjYbxmmoTQZ+4rr//TIekiLmWapOGRsBB+DxceMFaV6tdKFNeRRo= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: ac066df6-ef43-42c0-0555-08d6b256a029 X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Mar 2019 01:50:44.8452 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1890 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org When setting up a LUKS encrypted partition, cryptsetup is reading the cracklib databases to ensure password strength. This is allowing the needed access. type=3DAVC msg=3Daudit(1553216939.261:2652): avc: denied { search } for = pid=3D8107 comm=3D"cryptsetup" name=3D"cracklib" dev=3D"dm-1" ino=3D6388736= scontext=3Dsysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:obje= ct_r:crack_db_t:s0 tclass=3Ddir permissive=3D0 type=3DAVC msg=3Daudit(1553216980.909:2686): avc: denied { read } for pi= d=3D8125 comm=3D"cryptsetup" name=3D"pw_dict.pwd" dev=3D"dm-1" ino=3D638874= 8 scontext=3Dsysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:obj= ect_r:crack_db_t:s0 tclass=3Dfile permissive=3D1 type=3DAVC msg=3Daudit(1553216980.909:2686): avc: denied { open } for pi= d=3D8125 comm=3D"cryptsetup" path=3D"/usr/share/cracklib/pw_dict.pwd" dev= =3D"dm-1" ino=3D6388748 scontext=3Dsysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 t= context=3Dsystem_u:object_r:crack_db_t:s0 tclass=3Dfile permissive=3D1 type=3DAVC msg=3Daudit(1553216980.909:2687): avc: denied { getattr } for = pid=3D8125 comm=3D"cryptsetup" path=3D"/usr/share/cracklib/pw_dict.pwi" de= v=3D"dm-1" ino=3D6388749 scontext=3Dsysadm_u:sysadm_r:lvm_t:s0-s0:c0.c1023 = tcontext=3Dsystem_u:object_r:crack_db_t:s0 tclass=3Dfile permissive=3D1 Signed-off-by: Dave Sugar --- policy/modules/system/lvm.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index ba64c39d..bb71e7b9 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -375,6 +375,10 @@ optional_policy(` udev_read_pid_files(lvm_t) ') =20 +optional_policy(` + usermanage_read_crack_db(lvm_t) +') + optional_policy(` virt_manage_images(lvm_t) ') --=20 2.20.1