From: dwalsh@redhat.com (Daniel J Walsh) Date: Fri, 26 Sep 2008 08:45:09 -0400 Subject: [refpolicy] useradd/passwd patch In-Reply-To: <200809260657.50453.russell@coker.com.au> References: <48DAB33E.3030209@kutulu.org> <200809251712.08588.russell@coker.com.au> <48DBF07B.30000@redhat.com> <200809260657.50453.russell@coker.com.au> Message-ID: <48DCD955.8080409@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Russell Coker wrote: > On Friday 26 September 2008 06:11, Daniel J Walsh wrote: >> Perhaps they are using pam to verify password entry, pam defaults to >> unix_chkpwd so this could cause the avc. I don't see where this is a >> problem though. > > Since when does PAM default to unix_chkpwd? > > When I first wrote the code and policy for this PAM had special-case code to > only call unix_chkpwd in the case of a non-root caller. > And I believe that has changed. Since were having to dontaudit read of shadow for all pam apps, while if they try to use unix_chppwd first we don't need the dontaudit rule. Then if a domain suddenly tries to read shadow, we have an idea that there is some problem. > It might make some sense to only check the password in one way (IE call the > executable even when running as root without SE Linux) as it's not something > that happens often enough to cause performance. But in that case I think > that the suitably privileged domains should be permitted to execute > unix_chkpwd in the same domain. > And how is this more or less secure? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjc2VUACgkQrlYvE4MpobOICwCdFHv5JZNwdc+qIwzywSl9YZWV 1zcAoJo/2HLijdsQyGt5iYKBmsp5XT8W =bJWN -----END PGP SIGNATURE-----