Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp358113ybe; Wed, 4 Sep 2019 00:25:27 -0700 (PDT) X-Google-Smtp-Source: APXvYqzdGI1h9B6b19+lFOKvIwUVpmfQ5iQ1egeTclCWjYbxSqqLRIq3xnkuWHEODsOuEmoB0pfc X-Received: by 2002:a62:1810:: with SMTP id 16mr43424536pfy.171.1567581927325; Wed, 04 Sep 2019 00:25:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1567581927; cv=none; d=google.com; s=arc-20160816; b=i7M9WCx5m2k9xa0ZNi23wmW30ExdiBBerf3SkbNOspGpiu5BrTjzhGRTwzrSKLvwva 3NkwIXFgIxaMbAw2QDnmOR/IIzhpJhHnjjklGFyskQTqWo6SUp6igHYYvCY+ZcVoDInm v+7i3fD7LnKYocseGmGZG1duT0V4ZzQ7ZokUXnLS/qhY+vH+W7jz9XcbH7ZEgkNmWtga GUjdCF+XNn23xUmXbJnhEdYsFEkPkbxfMHScmB+pi7zQGqpHTLEcvmpgHk17wZLZDCS0 s9aapJ5Zu6hElbRHN13ZwxMmDr2Vd2O4/y24d8Ueoib/qeQfhhXWBtfPoIUjNfd0RF+X relA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:to:from:date:dkim-signature; bh=vzYJsgcAl7bxANDw4eitRav8n9//3OsJ6XemufwC3WY=; b=uBYzxQxGom6iTJT8zBl3RaaI3NimlyMEB3TSUrqjGaaWhQKqR+CF7PLZBmTYli9TCg d7u4JeO7JIapTXA4tzB+cnlng1Hm7aYwJrtLp/kOiFf9Ie2iqAmQmq6y0ufSP6zpyXQ6 Vfwx/yRVRvn+brdnBcmsyUTOnl5hWCpgHT76KEBNmlxQlHZc9tGXFOeWywV10ULcIGVz wyuX5W6c65Xzkq3zrPa8H+foYJO/fyyKuajkFu/74gROTjvSIjTDd/7gt3J6KPx3u9rk TuKgW6UCnXO1dsX0fUP3dZXOTILeeE7vMf8IjSToKlaJDLB8mvNF+gh1MS+/sAkOwMBR +ijg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=blsNG3rI; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d4si16519350pgv.464.2019.09.04.00.25.16; Wed, 04 Sep 2019 00:25:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=blsNG3rI; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728300AbfIDHZP (ORCPT + 11 others); Wed, 4 Sep 2019 03:25:15 -0400 Received: from mail-ed1-f66.google.com ([209.85.208.66]:36988 "EHLO mail-ed1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728209AbfIDHZP (ORCPT ); Wed, 4 Sep 2019 03:25:15 -0400 Received: by mail-ed1-f66.google.com with SMTP id f22so21430792edt.4 for ; Wed, 04 Sep 2019 00:25:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=vzYJsgcAl7bxANDw4eitRav8n9//3OsJ6XemufwC3WY=; b=blsNG3rIWx2dHgmQZ+L6kONb5zeD4Ir93IDY737umkV1VkeWESq7h0bY3+xomEe+yI xbFgQEPmT2TVSBl+xSGOy1ayPafUJYjTHPOn9Vy9JWbayv9k9F6huVGW7a8Q0srjYCoz SqnorIQ1QnTlLoSLqmxtvRFkhKN0E4o189z8jlahFU/bbThq9ZPzac0n+eZf2ZifQfLS xh3mngxYFJ1gx12RJxeOF01COgks/ookJuVRdcepk9G2k6QKGO6tOsvN3KXxv8pNpB+n vPOHvewA5Fv7PZI85oLhnubWzqGVaO4tz9E6Wi5nzF+3Nv3N+FxblE5RQofhkURiSrK6 g0Tw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:mail-followup-to :references:mime-version:content-disposition:in-reply-to:user-agent; bh=vzYJsgcAl7bxANDw4eitRav8n9//3OsJ6XemufwC3WY=; b=Lwo/LEwg9lUOCzPhw1LT8mqF/O8kbLpAx7T342BR4YH1ALMj6mpXAI0G0JYfd7rzOU e3nWDkbAPQGDwRMnU7jzJsgzMf6I74lXw/LZoPOTxlhfQfFpLVPZCxjxmZMLw+DM/VA1 4yh3oYqmm4FPuNDn4STVexC6djNBZvn6b3SqzoK3mL42mAQEPy4WPWkA9KG2izop7PWl Axzy3KqEu/wJlaoLYV1EWxuAKIVgbRcfZ6ehXE0rEHKWgr3L0QgHJyyYbfsuJTkFNZKI fD0lNvXpHS3PCt6V5l0aEUWgXjdbZvm7LZpjwwuwtq7aonQTbmj/ssDDhAUYK+2xnKKI JzTQ== X-Gm-Message-State: APjAAAXglQRMCGRU08rgDH6ZrcLPpfEI9mhlxkrTs1GvbFh8nT0uy1zk fkvPmUJPlU/t6k7YIq/tpfAPLUMz X-Received: by 2002:a05:6402:686:: with SMTP id f6mr27665846edy.89.1567581913107; Wed, 04 Sep 2019 00:25:13 -0700 (PDT) Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438]) by smtp.gmail.com with ESMTPSA id f10sm1154720ejd.30.2019.09.04.00.25.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Sep 2019 00:25:12 -0700 (PDT) Date: Wed, 4 Sep 2019 09:25:10 +0200 From: Dominick Grift To: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] Remove shell automatic domain transitions to unconfined_t from various pam login programs Message-ID: <20190904072510.GB923044@brutus.lan> Mail-Followup-To: selinux-refpolicy@vger.kernel.org References: <20190901124620.375409-1-dac.override@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="eJnRUKwClWJh1Khz" Content-Disposition: inline In-Reply-To: <20190901124620.375409-1-dac.override@gmail.com> User-Agent: Every email client sucks, this one just sucks less. X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org --eJnRUKwClWJh1Khz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 01, 2019 at 02:46:20PM +0200, Dominick Grift wrote: > I think these may have been adopted from the old Red Hat targeted policy = (that model only had unconfined users) Was this overlooked? >=20 > Some aspect to note: >=20 > 1. The ssh_sysadm_login boolean now applies to unconfined_t as well > 2. remotelogin only allows unpriv logins >=20 > The rshd module also calls unconfined_shell_domtrans() but I ignored that= one because that policy currently does not have support for manual transit= ions with pam_selinux. >=20 > Signed-off-by: Dominick Grift > --- > policy/modules/services/remotelogin.te | 4 ---- > policy/modules/services/ssh.te | 4 ---- > policy/modules/system/locallogin.te | 4 ---- > 3 files changed, 12 deletions(-) >=20 > diff --git a/policy/modules/services/remotelogin.te b/policy/modules/serv= ices/remotelogin.te > index bc2292e3..c7c9c564 100644 > --- a/policy/modules/services/remotelogin.te > +++ b/policy/modules/services/remotelogin.te > @@ -91,10 +91,6 @@ optional_policy(` > telnet_use_ptys(remote_login_t) > ') > =20 > -optional_policy(` > - unconfined_shell_domtrans(remote_login_t) > -') > - > optional_policy(` > usermanage_read_crack_db(remote_login_t) > ') > diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh= =2Ete > index 4e75b6e1..a99ad912 100644 > --- a/policy/modules/services/ssh.te > +++ b/policy/modules/services/ssh.te > @@ -328,10 +328,6 @@ optional_policy(` > systemd_dbus_chat_logind(sshd_t) > ') > =20 > -optional_policy(` > - unconfined_shell_domtrans(sshd_t) > -') > - > optional_policy(` > xserver_domtrans_xauth(sshd_t) > xserver_link_xdm_keys(sshd_t) > diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/= locallogin.te > index a56f3d1f..632d2542 100644 > --- a/policy/modules/system/locallogin.te > +++ b/policy/modules/system/locallogin.te > @@ -200,10 +200,6 @@ optional_policy(` > systemd_write_inherited_logind_sessions_pipes(local_login_t) > ') > =20 > -optional_policy(` > - unconfined_shell_domtrans(local_login_t) > -') > - > optional_policy(` > usermanage_read_crack_db(local_login_t) > ') > --=20 > 2.23.0 >=20 --=20 Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02 Dominick Grift --eJnRUKwClWJh1Khz Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAl1vZtIACgkQJXSOVTf5 R2m+Kwv+KkpJ7hW/lpVNEm/Puq9XKDIgCkFF7EcNLz15DtrGsB3qq/WaVEv5CE1R tfMee1k/b2WVRsTTdYKIF44NSCvw8SucTd4BJHh15RB1HZ3BQ1vyOOALEPxTcZVH /2ksFS/BN0BENeFRFB3rcl4MWOSRImmTdvUfSi6/NmIBfZ+6xzbkoOC1VeYNEc7j y3bYFWz2EP994trH5dQAWjJuoiqsCyGSPl8rpT6nZqeJnwkovJ655IzTf7w2FYVc n/EmqNDQoRAN+vq7MRRDx1RYx7KeG0UKuby+QHqYgzRlHhlVA10Ujl/UcMZucbuV vvXXfueOu02qJyzJnlp0fqs8diSRbKr9VFb9pRyJqNQVfPQbWutW3RgNuwK/HR3M zTB455gxMsYTxCbDkiZ9XlamwngrVN+1oix76XYSTD31xeiT4ctHHESOELxdvoDI hZVqqlTnxdyfL37b9mYmi40ptQQPMW7C1nDl0NAPvz2l9qrBk7QjT+zb4e3qXzFs x5mp1W+Q =yjlo -----END PGP SIGNATURE----- --eJnRUKwClWJh1Khz--