The chsh application (which runs in the chfn_t domain) requires read access on
the file context definitions. If not, the following error occurs:
Changing the login shell for root
Enter the new value, or press ENTER for the default
Login Shell [/bin/zsh]: /bin/bash
chsh: failure while writing changes to /etc/passwd
The following AVC denials are shown:
Jan 23 20:23:43 lain kernel: [20378.806719] type=1400 audit(1358969023.507:585):
avc: denied { search } for pid=18281 comm="chsh" name="selinux" dev="dm-0"
ino=23724520 scontext=staff_u:sysadm_r:chfn_t
tcontext=system_u:object_r:selinux_config_t tclass=dir
In permissive mode, this goes up to:
Jan 23 20:22:15 lain kernel: [20290.691128] type=1400 audit(1358968935.217:566):
avc: denied { open } for pid=18195 comm="chsh"
path="/etc/selinux/strict/contexts/files/file_contexts" dev="dm-0" ino=23726403
scontext=staff_u:sysadm_r:chfn_t tcontext=staff_u:object_r:file_context_t
tclass=file
Hence, adding in seutil_read_file_contexts().
A second error is that chsh, if available, wants to execute nscd:
Changing the login shell for root
Enter the new value, or press ENTER for the default
Login Shell [/bin/sh]: /bin/bash
chsh: cannot execute /usr/sbin/nscd: Permission denied
chsh: nscd exited with status 126
chsh: Failed to flush the nscd cache.
chsh: cannot execute /usr/sbin/nscd: Permission denied
chsh: nscd exited with status 126
chsh: Failed to flush the nscd cache.
chsh: cannot execute /usr/sbin/nscd: Permission denied
chsh: nscd exited with status 126
chsh: Failed to flush the nscd cache.
Similar to most other user admin utilities, we grant it the rights to run nscd.
Changes since v1
- Removed seutil_dontaudit_search_config() call
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/usermanage.te | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index d555767..410f0d5 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -125,14 +125,17 @@ miscfiles_read_localization(chfn_t)
logging_send_syslog_msg(chfn_t)
-# uses unix_chkpwd for checking passwords
-seutil_dontaudit_search_config(chfn_t)
+seutil_read_file_contexts(chfn_t)
userdom_use_unpriv_users_fds(chfn_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(chfn_t)
+optional_policy(`
+ nscd_run(chfn_t, chfn_roles)
+')
+
########################################
#
# Crack local policy
--
1.8.1.5
On 04/04/13 12:55, Sven Vermeulen wrote:
> The chsh application (which runs in the chfn_t domain) requires read access on
> the file context definitions. If not, the following error occurs:
Merged.
> Changing the login shell for root
> Enter the new value, or press ENTER for the default
> Login Shell [/bin/zsh]: /bin/bash
> chsh: failure while writing changes to /etc/passwd
>
> The following AVC denials are shown:
>
> Jan 23 20:23:43 lain kernel: [20378.806719] type=1400 audit(1358969023.507:585):
> avc: denied { search } for pid=18281 comm="chsh" name="selinux" dev="dm-0"
> ino=23724520 scontext=staff_u:sysadm_r:chfn_t
> tcontext=system_u:object_r:selinux_config_t tclass=dir
>
> In permissive mode, this goes up to:
>
> Jan 23 20:22:15 lain kernel: [20290.691128] type=1400 audit(1358968935.217:566):
> avc: denied { open } for pid=18195 comm="chsh"
> path="/etc/selinux/strict/contexts/files/file_contexts" dev="dm-0" ino=23726403
> scontext=staff_u:sysadm_r:chfn_t tcontext=staff_u:object_r:file_context_t
> tclass=file
>
> Hence, adding in seutil_read_file_contexts().
>
> A second error is that chsh, if available, wants to execute nscd:
>
> Changing the login shell for root
> Enter the new value, or press ENTER for the default
> Login Shell [/bin/sh]: /bin/bash
> chsh: cannot execute /usr/sbin/nscd: Permission denied
> chsh: nscd exited with status 126
> chsh: Failed to flush the nscd cache.
> chsh: cannot execute /usr/sbin/nscd: Permission denied
> chsh: nscd exited with status 126
> chsh: Failed to flush the nscd cache.
> chsh: cannot execute /usr/sbin/nscd: Permission denied
> chsh: nscd exited with status 126
> chsh: Failed to flush the nscd cache.
>
> Similar to most other user admin utilities, we grant it the rights to run nscd.
>
> Changes since v1
> - Removed seutil_dontaudit_search_config() call
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/admin/usermanage.te | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
> index d555767..410f0d5 100644
> --- a/policy/modules/admin/usermanage.te
> +++ b/policy/modules/admin/usermanage.te
> @@ -125,14 +125,17 @@ miscfiles_read_localization(chfn_t)
>
> logging_send_syslog_msg(chfn_t)
>
> -# uses unix_chkpwd for checking passwords
> -seutil_dontaudit_search_config(chfn_t)
> +seutil_read_file_contexts(chfn_t)
>
> userdom_use_unpriv_users_fds(chfn_t)
> # user generally runs this from their home directory, so do not audit a search
> # on user home dir
> userdom_dontaudit_search_user_home_content(chfn_t)
>
> +optional_policy(`
> + nscd_run(chfn_t, chfn_roles)
> +')
> +
> ########################################
> #
> # Crack local policy
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com