From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 6 Jul 2011 09:48:57 -0400
Subject: [refpolicy] [Fwd: SSSD Local Auth and SELinux support]
In-Reply-To: <1309897035.29086.4.camel@home.localdomain>
References: <1309897035.29086.4.camel@home.localdomain>
Message-ID: <4E1467C9.2090403@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/05/11 16:17, Matthew Ife wrote:
> This is an email I forwarded to the F15 selinux policy mailing list.
> 
> As suggested, I forward the email and the attached patch which attempts
> to resolve what I discussed.
> 
> If you have any questions please let me know. This was a patch applied
> to refpolicy.

If we're looking to go down this road, then we have to consider other
sources of authentication, such as nis, kerberos, and samba/winbind.

This may cause problems with package managers trying to
install/initialize the database for the first time, which is a concern.

There are a few problems (see inline):

> diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
> index 6776b69..9f36e81 100644
> --- a/policy/modules/admin/dpkg.te
> +++ b/policy/modules/admin/dpkg.te
> @@ -140,8 +140,8 @@ storage_raw_write_fixed_disk(dpkg_t)
>  # for installing kernel packages
>  storage_raw_read_fixed_disk(dpkg_t)
>  
> -auth_relabel_all_files_except_shadow(dpkg_t)
> -auth_manage_all_files_except_shadow(dpkg_t)
> +auth_relabel_all_files_except_auth_files(dpkg_t)
> +auth_manage_all_files_except_auth_files(dpkg_t)
>  auth_dontaudit_read_shadow(dpkg_t)
>  
>  files_exec_etc_files(dpkg_t)
> @@ -286,7 +286,7 @@ term_use_all_terms(dpkg_script_t)
>  
>  auth_dontaudit_getattr_shadow(dpkg_script_t)
>  # ideally we would not need this
> -auth_manage_all_files_except_shadow(dpkg_script_t)
> +auth_manage_all_files_except_auth_files(dpkg_script_t)
>  
>  init_domtrans_script(dpkg_script_t)
>  init_use_script_fds(dpkg_script_t)
> diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
> index 9a2c2a1..0f27b1c 100644
> --- a/policy/modules/admin/portage.if
> +++ b/policy/modules/admin/portage.if
> @@ -170,9 +170,9 @@ interface(`portage_compile_domain',`
>  	# needed for merging dbus:
>  	selinux_compute_access_vector($1)
>  
> -	auth_read_all_dirs_except_shadow($1)
> -	auth_read_all_files_except_shadow($1)
> -	auth_read_all_symlinks_except_shadow($1)
> +	auth_read_all_dirs_except_auth_files($1)
> +	auth_read_all_files_except_auth_files($1)
> +	auth_read_all_symlinks_except_auth_files($1)
>  
>  	libs_exec_lib_files($1)
>  	# some config scripts use ldd
> diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
> index 47a8f7d..489d499 100644
> --- a/policy/modules/admin/rpm.te
> +++ b/policy/modules/admin/rpm.te
> @@ -154,8 +154,8 @@ storage_raw_read_fixed_disk(rpm_t)
>  
>  term_list_ptys(rpm_t)
>  
> -auth_relabel_all_files_except_shadow(rpm_t)
> -auth_manage_all_files_except_shadow(rpm_t)
> +auth_relabel_all_files_except_auth_files(rpm_t)
> +auth_manage_all_files_except_auth_files(rpm_t)
>  auth_dontaudit_read_shadow(rpm_t)
>  auth_use_nsswitch(rpm_t)
>  
> @@ -304,7 +304,7 @@ term_use_all_terms(rpm_script_t)
>  auth_dontaudit_getattr_shadow(rpm_script_t)
>  auth_use_nsswitch(rpm_script_t)
>  # ideally we would not need this
> -auth_manage_all_files_except_shadow(rpm_script_t)
> +auth_manage_all_files_except_auth_files(rpm_script_t)
>  auth_relabel_shadow(rpm_script_t)
>  
>  corecmd_exec_all_executables(rpm_script_t)
> diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te
> index fe1c377..775e5b1 100644
> --- a/policy/modules/admin/sosreport.te
> +++ b/policy/modules/admin/sosreport.te
> @@ -80,7 +80,7 @@ fs_list_inotifyfs(sosreport_t)
>  
>  # some config files do not have configfile attribute
>  # sosreport needs to read various files on system
> -auth_read_all_files_except_shadow(sosreport_t)
> +auth_read_all_files_except_auth_files(sosreport_t)
>  auth_use_nsswitch(sosreport_t)
>  
>  init_domtrans_script(sosreport_t)
> diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
> index d5aaf0e..c1eefd5 100644
> --- a/policy/modules/admin/sxid.te
> +++ b/policy/modules/admin/sxid.te
> @@ -66,7 +66,7 @@ fs_list_all(sxid_t)
>  
>  term_dontaudit_use_console(sxid_t)
>  
> -auth_read_all_files_except_shadow(sxid_t)
> +auth_read_all_files_except_auth_files(sxid_t)
>  auth_dontaudit_getattr_shadow(sxid_t)
>  
>  init_use_fds(sxid_t)
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index ff006ea..e1cd45f 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -49,6 +49,7 @@
>  ##		<li>init_script_file()</li>
>  ##		<li>init_script_domain()</li>
>  ##		<li>init_system_domain()</li>
> +##              <li>files_auth_file()</li>

Please use tabs.

>  ##		<li>files_config_files()</li>
>  ##		<li>files_lock_file()</li>
>  ##		<li>files_mountpoint()</li>
> @@ -215,6 +216,33 @@ interface(`files_pid_file',`
>  
>  ########################################
>  ## <summary>
> +##      Make the specified type a
> +##      authentication file.
> +## </summary>
> +## <desc>
> +##      <p>
> +##      Make the specified type an authentication file.
> +##      This will also make the type usable for security files, making
> +##      calls to files_security_file() redundant.
> +##      </p>
> +## </desc>

I don't agree with this assessment.  Security files are a superset of
authentication files.  In fact, I think the interface should likely call
files_security_file().  Additionally, this interface is in the wrong
module, it should be in the authlogin module, otherwise those interfaces
would be breaking encapsulation.

> +## <param name="auth_file">
> +##      <summary>
> +##      Type to be used as a authentication file.
> +##      </summary>
> +## </param>
> +## <infoflow type="none"/>
> +#
> +interface(`files_auth_file',`
> +        gen_require(`
> +                attribute auth_file_type;
> +        ')
> +        files_security_file($1)
> +        typeattribute $1 auth_file_type;
> +')
> +
> +########################################
> +## <summary>
>  ##	Make the specified type a
>  ##	configuration file.
>  ## </summary>
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index d91c62f..e709b9f 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -334,9 +334,9 @@ optional_policy(`
>  		fs_read_noxattr_fs_files(kernel_t)
>  		fs_read_noxattr_fs_symlinks(kernel_t)
>  
> -		auth_read_all_dirs_except_shadow(kernel_t)
> -		auth_read_all_files_except_shadow(kernel_t)
> -		auth_read_all_symlinks_except_shadow(kernel_t)
> +		auth_read_all_dirs_except_auth_files(kernel_t)
> +		auth_read_all_files_except_auth_files(kernel_t)
> +		auth_read_all_symlinks_except_auth_files(kernel_t)
>  	')
>  
>  	tunable_policy(`nfs_export_all_rw',`
> @@ -345,7 +345,7 @@ optional_policy(`
>  		fs_read_noxattr_fs_files(kernel_t)
>  		fs_read_noxattr_fs_symlinks(kernel_t)
>  
> -		auth_manage_all_files_except_shadow(kernel_t)
> +		auth_manage_all_files_except_auth_files(kernel_t)
>  	')
>  ')
>  
> diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
> index be4de58..2de38b8 100644
> --- a/policy/modules/roles/secadm.te
> +++ b/policy/modules/roles/secadm.te
> @@ -30,7 +30,7 @@ mls_file_upgrade(secadm_t)
>  mls_file_downgrade(secadm_t)
>  
>  auth_role(secadm_r, secadm_t)
> -auth_relabel_all_files_except_shadow(secadm_t)
> +auth_relabel_all_files_except_auth_files(secadm_t)
>  auth_relabel_shadow(secadm_t)
>  
>  init_exec(secadm_t)
> diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
> index 8a74a83..d670c61 100644
> --- a/policy/modules/services/ftp.te
> +++ b/policy/modules/services/ftp.te
> @@ -261,7 +261,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
>  
>  tunable_policy(`allow_ftpd_full_access',`
>  	allow ftpd_t self:capability { dac_override dac_read_search };
> -	auth_manage_all_files_except_shadow(ftpd_t)
> +	auth_manage_all_files_except_auth_files(ftpd_t)
>  ')
>  
>  tunable_policy(`ftp_home_dir',`
> @@ -394,7 +394,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
>  tunable_policy(`sftpd_full_access',`
>  	allow sftpd_t self:capability { dac_override dac_read_search };
>  	fs_read_noxattr_fs_files(sftpd_t)
> -	auth_manage_all_files_except_shadow(sftpd_t)
> +	auth_manage_all_files_except_auth_files(sftpd_t)
>  ')
>  
>  tunable_policy(`use_samba_home_dirs',`
> diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
> index 64c5f95..1201731 100644
> --- a/policy/modules/services/puppet.te
> +++ b/policy/modules/services/puppet.te
> @@ -132,7 +132,7 @@ sysnet_dns_name_resolve(puppet_t)
>  sysnet_run_ifconfig(puppet_t, system_r)
>  
>  tunable_policy(`puppet_manage_all_files',`
> -	auth_manage_all_files_except_shadow(puppet_t)
> +	auth_manage_all_files_except_auth_files(puppet_t)
>  ')
>  
>  optional_policy(`
> diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
> index 00fa514..c013749 100644
> --- a/policy/modules/services/rgmanager.te
> +++ b/policy/modules/services/rgmanager.te
> @@ -92,7 +92,7 @@ term_getattr_pty_fs(rgmanager_t)
>  #term_use_ptmx(rgmanager_t)
>  
>  # needed by resources scripts
> -auth_read_all_files_except_shadow(rgmanager_t)
> +auth_read_all_files_except_auth_files(rgmanager_t)
>  auth_dontaudit_getattr_shadow(rgmanager_t)
>  auth_use_nsswitch(rgmanager_t)
>  
> diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
> index b1468ed..958dc49 100644
> --- a/policy/modules/services/rpc.te
> +++ b/policy/modules/services/rpc.te
> @@ -158,7 +158,7 @@ tunable_policy(`nfs_export_all_rw',`
>  	dev_getattr_all_chr_files(nfsd_t)
>  
>  	fs_read_noxattr_fs_files(nfsd_t)
> -	auth_manage_all_files_except_shadow(nfsd_t)
> +	auth_manage_all_files_except_auth_files(nfsd_t)
>  ')
>  
>  tunable_policy(`nfs_export_all_ro',`
> @@ -170,8 +170,8 @@ tunable_policy(`nfs_export_all_ro',`
>  
>  	fs_read_noxattr_fs_files(nfsd_t)
>  
> -	auth_read_all_dirs_except_shadow(nfsd_t)
> -	auth_read_all_files_except_shadow(nfsd_t)
> +	auth_read_all_dirs_except_auth_files(nfsd_t)
> +	auth_read_all_files_except_auth_files(nfsd_t)
>  ')
>  
>  ########################################
> diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
> index 39015ae..40463c8 100644
> --- a/policy/modules/services/rsync.te
> +++ b/policy/modules/services/rsync.te
> @@ -125,9 +125,9 @@ tunable_policy(`rsync_export_all_ro',`
>  	fs_read_noxattr_fs_files(rsync_t) 
>  	fs_read_nfs_files(rsync_t)
>  	fs_read_cifs_files(rsync_t)
> -	auth_read_all_dirs_except_shadow(rsync_t)
> -	auth_read_all_files_except_shadow(rsync_t)
> -	auth_read_all_symlinks_except_shadow(rsync_t)
> +	auth_read_all_dirs_except_auth_files(rsync_t)
> +	auth_read_all_files_except_auth_files(rsync_t)
> +	auth_read_all_symlinks_except_auth_files(rsync_t)
>  	auth_tunable_read_shadow(rsync_t)
>  ')
>  auth_can_read_shadow_passwords(rsync_t)
> diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
> index e30bb63..06cc480 100644
> --- a/policy/modules/services/samba.te
> +++ b/policy/modules/services/samba.te
> @@ -450,18 +450,18 @@ tunable_policy(`samba_create_home_dirs',`
>  
>  tunable_policy(`samba_export_all_ro',`
>  	fs_read_noxattr_fs_files(smbd_t) 
> -	auth_read_all_dirs_except_shadow(smbd_t)
> -	auth_read_all_files_except_shadow(smbd_t)
> +	auth_read_all_dirs_except_auth_files(smbd_t)
> +	auth_read_all_files_except_auth_files(smbd_t)
>  	fs_read_noxattr_fs_files(nmbd_t) 
> -	auth_read_all_dirs_except_shadow(nmbd_t)
> -	auth_read_all_files_except_shadow(nmbd_t)
> +	auth_read_all_dirs_except_auth_files(nmbd_t)
> +	auth_read_all_files_except_auth_files(nmbd_t)
>  ')
>  
>  tunable_policy(`samba_export_all_rw',`
>  	fs_read_noxattr_fs_files(smbd_t) 
> -	auth_manage_all_files_except_shadow(smbd_t)
> +	auth_manage_all_files_except_auth_files(smbd_t)
>  	fs_read_noxattr_fs_files(nmbd_t) 
> -	auth_manage_all_files_except_shadow(nmbd_t)
> +	auth_manage_all_files_except_auth_files(nmbd_t)
>  	userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
>  ')
>  
> diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
> index 3d8d1b3..dd82b1c 100644
> --- a/policy/modules/services/snmp.te
> +++ b/policy/modules/services/snmp.te
> @@ -99,7 +99,7 @@ storage_dontaudit_read_fixed_disk(snmpd_t)
>  storage_dontaudit_read_removable_device(snmpd_t)
>  
>  auth_use_nsswitch(snmpd_t)
> -auth_read_all_dirs_except_shadow(snmpd_t)
> +auth_read_all_dirs_except_auth_files(snmpd_t)
>  
>  init_read_utmp(snmpd_t)
>  init_dontaudit_write_utmp(snmpd_t)
> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> index 73554ec..7f224a2 100644
> --- a/policy/modules/system/authlogin.if
> +++ b/policy/modules/system/authlogin.if
> @@ -1169,12 +1169,12 @@ interface(`auth_delete_pam_console_data',`
>  ##	</summary>
>  ## </param>
>  #
> -interface(`auth_read_all_dirs_except_shadow',`
> +interface(`auth_read_all_dirs_except_auth_files',`
>  	gen_require(`
> -		type shadow_t;
> +		attribute auth_file_type;
>  	')
>  
> -	files_read_all_dirs_except($1, $2 -shadow_t)
> +	files_read_all_dirs_except($1, $2 -auth_file_type)
>  ')
>  
>  ########################################
> @@ -1195,12 +1195,12 @@ interface(`auth_read_all_dirs_except_shadow',`
>  ## </param>
>  ## <rolecap/>
>  #
> -interface(`auth_read_all_files_except_shadow',`
> +interface(`auth_read_all_files_except_auth_files',`
>  	gen_require(`
> -		type shadow_t;
> +		attribute auth_file_type;
>  	')
>  
> -	files_read_all_files_except($1, $2 -shadow_t)
> +	files_read_all_files_except($1, $2 -auth_file_type)
>  ')
>  
>  ########################################
> @@ -1220,12 +1220,12 @@ interface(`auth_read_all_files_except_shadow',`
>  ##	</summary>
>  ## </param>
>  #
> -interface(`auth_read_all_symlinks_except_shadow',`
> +interface(`auth_read_all_symlinks_except_auth_files',`
>  	gen_require(`
> -		type shadow_t;
> +		attribute auth_file_type;
>  	')
>  
> -	files_read_all_symlinks_except($1, $2 -shadow_t)
> +	files_read_all_symlinks_except($1, $2 -auth_file_type)
>  ')
>  
>  ########################################
> @@ -1246,7 +1246,7 @@ interface(`auth_read_all_symlinks_except_shadow',`
>  ## </param>
>  #
>  
> -interface(`auth_relabel_all_files_except_shadow',`
> +interface(`auth_relabel_all_files_except_auth_files',`
>  	gen_require(`
>  		type shadow_t;
>  	')
> @@ -1272,12 +1272,12 @@ interface(`auth_relabel_all_files_except_shadow',`
>  ## </param>
>  #
>  
> -interface(`auth_rw_all_files_except_shadow',`
> +interface(`auth_rw_all_files_except_auth_files',`
>  	gen_require(`
> -		type shadow_t;
> +		attribute auth_file_type;
>  	')
>  
> -	files_rw_all_files($1, $2 -shadow_t)
> +	files_rw_all_files($1, $2 -auth_file_type)
>  ')
>  
>  ########################################
> @@ -1298,12 +1298,12 @@ interface(`auth_rw_all_files_except_shadow',`
>  ## </param>
>  #
>  
> -interface(`auth_manage_all_files_except_shadow',`
> +interface(`auth_manage_all_files_except_auth_files,`
>  	gen_require(`
> -		type shadow_t;
> +		attribute auth_file_type;
>  	')
>  
> -	files_manage_all_files($1, $2 -shadow_t)
> +	files_manage_all_files($1, $2 -auth_file_type)
>  ')

None of these interface renames are permissible, as it breaks
compatibility.  You need to add new interfaces, and deprecateto the
"except_shadow" interfaces (see libs_use_lib_files() for an example).

>  ########################################
> diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
> index b7a5f00..00b9e8d 100644
> --- a/policy/modules/system/authlogin.te
> +++ b/policy/modules/system/authlogin.te
> @@ -1,10 +1,9 @@
> -policy_module(authlogin, 2.2.1)
> -

I don't know why you would be doing this.

>  ########################################
>  #
>  # Declarations
>  #
>  
> +attribute auth_file_type;
>  attribute can_read_shadow_passwords;
>  attribute can_write_shadow_passwords;
>  attribute can_relabelto_shadow_passwords;
> @@ -50,7 +49,7 @@ type pam_var_run_t;
>  files_pid_file(pam_var_run_t)
>  
>  type shadow_t;
> -files_security_file(shadow_t)
> +files_auth_file(shadow_t)
>  neverallow ~can_read_shadow_passwords shadow_t:file read;
>  neverallow ~can_write_shadow_passwords shadow_t:file { create write };
>  neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 15832c7..66aa503 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -142,8 +142,8 @@ ifdef(`distro_ubuntu',`
>  ')
>  
>  tunable_policy(`allow_mount_anyfile',`
> -	auth_read_all_dirs_except_shadow(mount_t)
> -	auth_read_all_files_except_shadow(mount_t)
> +	auth_read_all_dirs_except_auth_files(mount_t)
> +	auth_read_all_files_except_auth_files(mount_t)
>  	files_mounton_non_security(mount_t)
>  ')
>  
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index 7ed9819..bef1885 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -323,8 +323,8 @@ selinux_compute_create_context(restorecond_t)
>  selinux_compute_relabel_context(restorecond_t)
>  selinux_compute_user_contexts(restorecond_t)
>  
> -auth_relabel_all_files_except_shadow(restorecond_t )
> -auth_read_all_files_except_shadow(restorecond_t)
> +auth_relabel_all_files_except_auth_files(restorecond_t )
> +auth_read_all_files_except_auth_files(restorecond_t)
>  auth_use_nsswitch(restorecond_t)
>  
>  locallogin_dontaudit_use_fds(restorecond_t)
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 4b2878a..a64b4e0 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -1133,9 +1133,9 @@ template(`userdom_admin_user_template',`
>  
>  	auth_getattr_shadow($1_t)
>  	# Manage almost all files
> -	auth_manage_all_files_except_shadow($1_t)
> +	auth_manage_all_files_except_auth_files($1_t)
>  	# Relabel almost all files
> -	auth_relabel_all_files_except_shadow($1_t)
> +	auth_relabel_all_files_except_auth_files($1_t)
>  
>  	init_telinit($1_t)
>  
> @@ -1223,7 +1223,7 @@ template(`userdom_security_admin_template',`
>  	selinux_set_all_booleans($1)
>  	selinux_set_parameters($1)
>  
> -	auth_relabel_all_files_except_shadow($1)
> +	auth_relabel_all_files_except_auth_files($1)
>  	auth_relabel_shadow($1)
>  
>  	init_exec($1)



-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com