From: dwalsh@redhat.com (Daniel J Walsh)
Date: Fri, 26 Sep 2008 08:45:09 -0400
Subject: [refpolicy] useradd/passwd patch
In-Reply-To: <200809260657.50453.russell@coker.com.au>
References: <48DAB33E.3030209@kutulu.org>
	<200809251712.08588.russell@coker.com.au>
	<48DBF07B.30000@redhat.com>
	<200809260657.50453.russell@coker.com.au>
Message-ID: <48DCD955.8080409@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Russell Coker wrote:
> On Friday 26 September 2008 06:11, Daniel J Walsh <dwalsh@redhat.com> wrote:
>> Perhaps they are using pam to verify password entry, pam defaults to
>> unix_chkpwd so this could cause the avc.  I don't see where this is a
>> problem though.
> 
> Since when does PAM default to unix_chkpwd?
> 
> When I first wrote the code and policy for this PAM had special-case code to 
> only call unix_chkpwd in the case of a non-root caller.
> 
And I believe that has changed.  Since were having to dontaudit read of
shadow for all pam apps, while if they try to use unix_chppwd first we
don't need the dontaudit rule.  Then if a domain suddenly tries to read
shadow, we have an idea that there is some problem.
> It might make some sense to only check the password in one way (IE call the 
> executable even when running as root without SE Linux) as it's not something 
> that happens often enough to cause performance.  But in that case I think 
> that the suitably privileged domains should be permitted to execute 
> unix_chkpwd in the same domain.
> 
And how is this more or less secure?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjc2VUACgkQrlYvE4MpobOICwCdFHv5JZNwdc+qIwzywSl9YZWV
1zcAoJo/2HLijdsQyGt5iYKBmsp5XT8W
=bJWN
-----END PGP SIGNATURE-----