Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp3002875ybl; Sun, 1 Sep 2019 04:38:08 -0700 (PDT) X-Google-Smtp-Source: APXvYqxWN9ivF0JbnWWl8SJvWAuIFG5QYXi2B2hvx8pcXep9fbQnmGxpI/2dv9M4+mpA4ttsWJq6 X-Received: by 2002:a17:90a:8906:: with SMTP id u6mr8275522pjn.70.1567337888534; Sun, 01 Sep 2019 04:38:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1567337888; cv=none; d=google.com; s=arc-20160816; b=ijIHge7VWc2O52XN3V/qGSU/m9BPq3E85xmW1vTBHf/Tv4iBtovX8lRAx5wRMna1IB aGwTo5FERXX96i8eQw5g3oSwosPxPc7T0fFr8kK+m0r04bGq0p1zz5RjVJI3KOei+6wn y9awY6gr8zUoSrva2EKiHKMdGnm/nmu4uZFVN459kNBI9H0auiP0qqL+m5sKSRwqxvLq W/7nDksPHuWqvFaAEAbxpNlDcZYFUBJc4Vh/M2jnaZWzATlY+57Drp6MkKd4dpSSLIIQ egnN+KiSsX2eQ5VZ34z6KVEdNAYU+7mtZmacu9CcYN0FfzzG6bRxKUtYtzna+BWNPioX c6uA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature; bh=vUkNqYJ1RK9onaW1T8L7oACodtEbtVFUxG89PvBhpZQ=; b=o0KcW+jCVJ1Fw/JcSM3ku1VNEAlijkCvA3c+LdJaDRTYYnOLhNswTli904YBGPsj/A lhu97DRG4XaGh4IqQ6Inq46DxjEzAJnICGGBANtfobaEARfs8xYeMoDNz6Ni0BQAwWzc CtmCcts3EzWx3fctvZNCIRNoeDKZR7orh9+zTPhoT8F/VdFTLDzU2xfeCY8n4MFkV7OW zpiBCebcfhnJGBYkom52ySbTrJNZzW6cOLdODl/pdKMn6RvQJthExmMWsAuKHdUHlTIg oCXfU0mefd5KKOOPhZQqVPsgDDXdCsoO3i3uOL1/x6hJYcsA5No013nIIHY3PSooNoDn osXg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="kShlDf/k"; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n25si5030114pgf.42.2019.09.01.04.38.05; Sun, 01 Sep 2019 04:38:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="kShlDf/k"; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726813AbfIALgk (ORCPT + 11 others); Sun, 1 Sep 2019 07:36:40 -0400 Received: from mail-ed1-f66.google.com ([209.85.208.66]:45957 "EHLO mail-ed1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726811AbfIALgj (ORCPT ); Sun, 1 Sep 2019 07:36:39 -0400 Received: by mail-ed1-f66.google.com with SMTP id x19so13184518eda.12 for ; Sun, 01 Sep 2019 04:36:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=vUkNqYJ1RK9onaW1T8L7oACodtEbtVFUxG89PvBhpZQ=; b=kShlDf/k1ZlBZlk8SL/b2v8SY0M01pyhpgjmu8WACvpArlFAM0CVQHCCkXdp0gN0EY 8GwIYZ2MpNjxqggtvxNOCHGrbDu5lm/MXrX7Q4TTDPGgDYJSvaUqqTNMuZyM3L3E0Wbh OtYDq5ziKKMrCJfMGD0UAqKQwJZYSxLO6ZEBYwfiyIZnv3Gf/gSVTuTvZ8PClVgRJ4W6 6LqOcf3O+0f7lnLCvSW8hamNLk6UuoX9yY6BAgeH4giKPw2xMkZaDPz/5mvxERbIAgRY dA94caYhpZXKFQrS4otVoDztWq7e29TOnHm8HTsE96M9qj1X5T8Cdsc709AFJMhWIkjo 4yjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to:user-agent; bh=vUkNqYJ1RK9onaW1T8L7oACodtEbtVFUxG89PvBhpZQ=; b=c6PC+SVIX+qi2Y6nhYZcOq8PrlRaoiI76fXt+7V7Zsr5PzkZSvRYDhSKi7irRCZY+t tEkbzu2nh417fC0KyivPyNluUvUPugVsnfcFlRdLOpqOsWljR/SEN4HwbIg0YEii7Hvr o0PW6pFeXCDCKxmBjVDeaUVNKzDzC2lZ4MdCSU0bq7KhYLM6NQIHptSKrGMtzA1jmyFZ 9trpRhEBAfNreg9yVC6SWZP7dtPt5kIcDGOWjfmYPARevyhmQ6mMi+vyK/VwPtujLY+J dOLD42tAsvJPHPWBhhiL9QWc0aswr1XNkaHQ0ROHPlDpzKTaARm0l9xVutUEo4DGukFH 6gQA== X-Gm-Message-State: APjAAAWfoltMi4D3M7hmtkdrX5KkMMl5vystEt+UZml+5f0p72oaVPmx n8Xq94S+vyF0+PRALiJSrGA= X-Received: by 2002:a17:906:c802:: with SMTP id cx2mr19917826ejb.114.1567337797753; Sun, 01 Sep 2019 04:36:37 -0700 (PDT) Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438]) by smtp.gmail.com with ESMTPSA id c6sm2250617edx.20.2019.09.01.04.36.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 01 Sep 2019 04:36:36 -0700 (PDT) Date: Sun, 1 Sep 2019 13:36:34 +0200 From: Dominick Grift To: Nicolas Iooss Cc: Chris PeBenito , selinux-refpolicy@vger.kernel.org Subject: Re: [RFC] ssh: remove unconfined_shell_domtrans(sshd_t) Message-ID: <20190901113634.GA152026@brutus.lan> Mail-Followup-To: Nicolas Iooss , Chris PeBenito , selinux-refpolicy@vger.kernel.org References: <20190831172713.140005-1-dac.override@gmail.com> <21a95013-0147-63fa-77ab-471ef24b0eb8@ieee.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="qDbXVdCdHGoSgWSk" Content-Disposition: inline In-Reply-To: User-Agent: Every email client sucks, this one just sucks less. X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org --qDbXVdCdHGoSgWSk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 01, 2019 at 01:19:56PM +0200, Nicolas Iooss wrote: > On Sat, Aug 31, 2019 at 10:54 PM Chris PeBenito wrote: > > > > On 8/31/19 1:27 PM, Dominick Grift wrote: > > > This call allows sshd_t associated processes with run shell with an a= utomatic domain transition to unconfined_t. > > > I was unable to make sense of the commit that added this: > > > > > > https://github.com/SELinuxProject/refpolicy/commit/708aab13932bb8830a= 2d37850cc0a5c72a5d4df4 > > > > > > Debian's motd dynamic pam module makes sshd run a shell, we want this= shell to run with sshd_t instead of unconfined_t > > > > > > This patch will make the ssh_sysadm_login boolean apply to unconfined= ssh logins. > > > To me this makes sense, as unconfined_t is targeted equivalent to the= strict sysadm_t. > > > The boolean could however be renamed to the more generic ssh_priv_log= in name. > > > > > > Signed-off-by: Dominick Grift > > > --- > > > policy/modules/services/ssh.te | 4 ---- > > > 1 file changed, 4 deletions(-) > > > > > > diff --git a/policy/modules/services/ssh.te b/policy/modules/services= /ssh.te > > > index 4e75b6e1..a99ad912 100644 > > > --- a/policy/modules/services/ssh.te > > > +++ b/policy/modules/services/ssh.te > > > @@ -328,10 +328,6 @@ optional_policy(` > > > systemd_dbus_chat_logind(sshd_t) > > > ') > > > > > > -optional_policy(` > > > - unconfined_shell_domtrans(sshd_t) > > > -') > > > - > > > optional_policy(` > > > xserver_domtrans_xauth(sshd_t) > > > xserver_link_xdm_keys(sshd_t) > > > > I don't have any objections to this. >=20 > Would it be possible to extend this patch to other callers of > unconfined_shell_domtrans, like the patch below? It will help fix > issues with Debian's PAM module that generates the MOTD (Message Of > The Day) in a dynamic way, using shell commands (cf. > https://wiki.debian.org/motd for more information: calling system() > triggers a transition to system_u:system_r:unconfined_t because of > unconfined_shell_domtrans). Not sure about remotelogin and rshd (are people still using this?), but I d= o believe one should be able to remove it from local_login_t. >=20 > diff --git a/policy/modules/services/remotelogin.te > b/policy/modules/services/remotelogin.te > index bc2292e37892..c7c9c5646785 100644 > --- a/policy/modules/services/remotelogin.te > +++ b/policy/modules/services/remotelogin.te > @@ -91,10 +91,6 @@ optional_policy(` > telnet_use_ptys(remote_login_t) > ') >=20 > -optional_policy(` > - unconfined_shell_domtrans(remote_login_t) > -') > - > optional_policy(` > usermanage_read_crack_db(remote_login_t) > ') > diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rs= hd.te > index 0f4caffc4f33..196ed2848e4b 100644 > --- a/policy/modules/services/rshd.te > +++ b/policy/modules/services/rshd.te > @@ -74,6 +74,5 @@ optional_policy(` > ') >=20 > optional_policy(` > - unconfined_shell_domtrans(rshd_t) > unconfined_signal(rshd_t) > ') > diff --git a/policy/modules/system/locallogin.te > b/policy/modules/system/locallogin.te > index a56f3d1fbe16..632d2542972d 100644 > --- a/policy/modules/system/locallogin.te > +++ b/policy/modules/system/locallogin.te > @@ -200,10 +200,6 @@ optional_policy(` > systemd_write_inherited_logind_sessions_pipes(local_login_t) > ') >=20 > -optional_policy(` > - unconfined_shell_domtrans(local_login_t) > -') > - > optional_policy(` > usermanage_read_crack_db(local_login_t) > ') >=20 --=20 Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02 Dominick Grift --qDbXVdCdHGoSgWSk Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAl1rrT4ACgkQJXSOVTf5 R2lNxAv9EWjf7buIe9hm6VQS+1Kg2YN/QPIMX8B5t3iHQE6x3xwnDqYZQ434BBj8 O+1DCAc9sEMjPE7W2gMwdD8+LDdlPaHlDMGeIQUF7NMFE+4xkQRFA9ZM7fQZv0P0 rXFu5rlX0gJhDFeT4S2ygpfVZLXB41H3kMi8RqD3Ht8K0XJam/CkZNjcLNfYfr46 TVxO7EMD1yCJms2ll50H09HR1XchkfFb2MqgGEKP5aMnr9tkKVVK8urfFTbqKy6T H0pOaRNwwEICncgRLNg685KZ7Y3FkXupyUYedmCvDZ26zy/FVtMCNTMhZIHCFHfz GV6cxucCTnYvcvIbs5HIlkpgdS73YihM0vduNFlrxWJHe+EvnDFIPIq3rrSsyc2Y DYp1ZNwiaKlCQIWl2i0JCeH8LxZiSsF9+oXCgsyEpU3HxiPWnYKI02xXP7xTtjAn ii9eArnDAw8NjFLggainUmCuFB4JEfh+rUX1Wf3FPon+jDXj09Et2CCZbf6dok8j engH1CbW =YgCy -----END PGP SIGNATURE----- --qDbXVdCdHGoSgWSk--