From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 6 Jul 2011 09:48:57 -0400
Subject: [refpolicy] [Fwd: SSSD Local Auth and SELinux support]
In-Reply-To: <1309897035.29086.4.camel@home.localdomain>
References: <1309897035.29086.4.camel@home.localdomain>
Message-ID: <4E1467C9.2090403@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On 07/05/11 16:17, Matthew Ife wrote:
> This is an email I forwarded to the F15 selinux policy mailing list.
>
> As suggested, I forward the email and the attached patch which attempts
> to resolve what I discussed.
>
> If you have any questions please let me know. This was a patch applied
> to refpolicy.
If we're looking to go down this road, then we have to consider other
sources of authentication, such as nis, kerberos, and samba/winbind.
This may cause problems with package managers trying to
install/initialize the database for the first time, which is a concern.
There are a few problems (see inline):
> diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
> index 6776b69..9f36e81 100644
> --- a/policy/modules/admin/dpkg.te
> +++ b/policy/modules/admin/dpkg.te
> @@ -140,8 +140,8 @@ storage_raw_write_fixed_disk(dpkg_t)
> # for installing kernel packages
> storage_raw_read_fixed_disk(dpkg_t)
>
> -auth_relabel_all_files_except_shadow(dpkg_t)
> -auth_manage_all_files_except_shadow(dpkg_t)
> +auth_relabel_all_files_except_auth_files(dpkg_t)
> +auth_manage_all_files_except_auth_files(dpkg_t)
> auth_dontaudit_read_shadow(dpkg_t)
>
> files_exec_etc_files(dpkg_t)
> @@ -286,7 +286,7 @@ term_use_all_terms(dpkg_script_t)
>
> auth_dontaudit_getattr_shadow(dpkg_script_t)
> # ideally we would not need this
> -auth_manage_all_files_except_shadow(dpkg_script_t)
> +auth_manage_all_files_except_auth_files(dpkg_script_t)
>
> init_domtrans_script(dpkg_script_t)
> init_use_script_fds(dpkg_script_t)
> diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
> index 9a2c2a1..0f27b1c 100644
> --- a/policy/modules/admin/portage.if
> +++ b/policy/modules/admin/portage.if
> @@ -170,9 +170,9 @@ interface(`portage_compile_domain',`
> # needed for merging dbus:
> selinux_compute_access_vector($1)
>
> - auth_read_all_dirs_except_shadow($1)
> - auth_read_all_files_except_shadow($1)
> - auth_read_all_symlinks_except_shadow($1)
> + auth_read_all_dirs_except_auth_files($1)
> + auth_read_all_files_except_auth_files($1)
> + auth_read_all_symlinks_except_auth_files($1)
>
> libs_exec_lib_files($1)
> # some config scripts use ldd
> diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
> index 47a8f7d..489d499 100644
> --- a/policy/modules/admin/rpm.te
> +++ b/policy/modules/admin/rpm.te
> @@ -154,8 +154,8 @@ storage_raw_read_fixed_disk(rpm_t)
>
> term_list_ptys(rpm_t)
>
> -auth_relabel_all_files_except_shadow(rpm_t)
> -auth_manage_all_files_except_shadow(rpm_t)
> +auth_relabel_all_files_except_auth_files(rpm_t)
> +auth_manage_all_files_except_auth_files(rpm_t)
> auth_dontaudit_read_shadow(rpm_t)
> auth_use_nsswitch(rpm_t)
>
> @@ -304,7 +304,7 @@ term_use_all_terms(rpm_script_t)
> auth_dontaudit_getattr_shadow(rpm_script_t)
> auth_use_nsswitch(rpm_script_t)
> # ideally we would not need this
> -auth_manage_all_files_except_shadow(rpm_script_t)
> +auth_manage_all_files_except_auth_files(rpm_script_t)
> auth_relabel_shadow(rpm_script_t)
>
> corecmd_exec_all_executables(rpm_script_t)
> diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te
> index fe1c377..775e5b1 100644
> --- a/policy/modules/admin/sosreport.te
> +++ b/policy/modules/admin/sosreport.te
> @@ -80,7 +80,7 @@ fs_list_inotifyfs(sosreport_t)
>
> # some config files do not have configfile attribute
> # sosreport needs to read various files on system
> -auth_read_all_files_except_shadow(sosreport_t)
> +auth_read_all_files_except_auth_files(sosreport_t)
> auth_use_nsswitch(sosreport_t)
>
> init_domtrans_script(sosreport_t)
> diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
> index d5aaf0e..c1eefd5 100644
> --- a/policy/modules/admin/sxid.te
> +++ b/policy/modules/admin/sxid.te
> @@ -66,7 +66,7 @@ fs_list_all(sxid_t)
>
> term_dontaudit_use_console(sxid_t)
>
> -auth_read_all_files_except_shadow(sxid_t)
> +auth_read_all_files_except_auth_files(sxid_t)
> auth_dontaudit_getattr_shadow(sxid_t)
>
> init_use_fds(sxid_t)
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index ff006ea..e1cd45f 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -49,6 +49,7 @@
> ##
init_script_file()
> ## init_script_domain()
> ## init_system_domain()
> +## files_auth_file()
Please use tabs.
> ## files_config_files()
> ## files_lock_file()
> ## files_mountpoint()
> @@ -215,6 +216,33 @@ interface(`files_pid_file',`
>
> ########################################
> ##
> +## Make the specified type a
> +## authentication file.
> +##
> +##
> +##
> +## Make the specified type an authentication file.
> +## This will also make the type usable for security files, making
> +## calls to files_security_file() redundant.
> +##
> +##
I don't agree with this assessment. Security files are a superset of
authentication files. In fact, I think the interface should likely call
files_security_file(). Additionally, this interface is in the wrong
module, it should be in the authlogin module, otherwise those interfaces
would be breaking encapsulation.
> +##
> +##
> +## Type to be used as a authentication file.
> +##
> +##
> +##
> +#
> +interface(`files_auth_file',`
> + gen_require(`
> + attribute auth_file_type;
> + ')
> + files_security_file($1)
> + typeattribute $1 auth_file_type;
> +')
> +
> +########################################
> +##
> ## Make the specified type a
> ## configuration file.
> ##
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index d91c62f..e709b9f 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -334,9 +334,9 @@ optional_policy(`
> fs_read_noxattr_fs_files(kernel_t)
> fs_read_noxattr_fs_symlinks(kernel_t)
>
> - auth_read_all_dirs_except_shadow(kernel_t)
> - auth_read_all_files_except_shadow(kernel_t)
> - auth_read_all_symlinks_except_shadow(kernel_t)
> + auth_read_all_dirs_except_auth_files(kernel_t)
> + auth_read_all_files_except_auth_files(kernel_t)
> + auth_read_all_symlinks_except_auth_files(kernel_t)
> ')
>
> tunable_policy(`nfs_export_all_rw',`
> @@ -345,7 +345,7 @@ optional_policy(`
> fs_read_noxattr_fs_files(kernel_t)
> fs_read_noxattr_fs_symlinks(kernel_t)
>
> - auth_manage_all_files_except_shadow(kernel_t)
> + auth_manage_all_files_except_auth_files(kernel_t)
> ')
> ')
>
> diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
> index be4de58..2de38b8 100644
> --- a/policy/modules/roles/secadm.te
> +++ b/policy/modules/roles/secadm.te
> @@ -30,7 +30,7 @@ mls_file_upgrade(secadm_t)
> mls_file_downgrade(secadm_t)
>
> auth_role(secadm_r, secadm_t)
> -auth_relabel_all_files_except_shadow(secadm_t)
> +auth_relabel_all_files_except_auth_files(secadm_t)
> auth_relabel_shadow(secadm_t)
>
> init_exec(secadm_t)
> diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
> index 8a74a83..d670c61 100644
> --- a/policy/modules/services/ftp.te
> +++ b/policy/modules/services/ftp.te
> @@ -261,7 +261,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
>
> tunable_policy(`allow_ftpd_full_access',`
> allow ftpd_t self:capability { dac_override dac_read_search };
> - auth_manage_all_files_except_shadow(ftpd_t)
> + auth_manage_all_files_except_auth_files(ftpd_t)
> ')
>
> tunable_policy(`ftp_home_dir',`
> @@ -394,7 +394,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
> tunable_policy(`sftpd_full_access',`
> allow sftpd_t self:capability { dac_override dac_read_search };
> fs_read_noxattr_fs_files(sftpd_t)
> - auth_manage_all_files_except_shadow(sftpd_t)
> + auth_manage_all_files_except_auth_files(sftpd_t)
> ')
>
> tunable_policy(`use_samba_home_dirs',`
> diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
> index 64c5f95..1201731 100644
> --- a/policy/modules/services/puppet.te
> +++ b/policy/modules/services/puppet.te
> @@ -132,7 +132,7 @@ sysnet_dns_name_resolve(puppet_t)
> sysnet_run_ifconfig(puppet_t, system_r)
>
> tunable_policy(`puppet_manage_all_files',`
> - auth_manage_all_files_except_shadow(puppet_t)
> + auth_manage_all_files_except_auth_files(puppet_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
> index 00fa514..c013749 100644
> --- a/policy/modules/services/rgmanager.te
> +++ b/policy/modules/services/rgmanager.te
> @@ -92,7 +92,7 @@ term_getattr_pty_fs(rgmanager_t)
> #term_use_ptmx(rgmanager_t)
>
> # needed by resources scripts
> -auth_read_all_files_except_shadow(rgmanager_t)
> +auth_read_all_files_except_auth_files(rgmanager_t)
> auth_dontaudit_getattr_shadow(rgmanager_t)
> auth_use_nsswitch(rgmanager_t)
>
> diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
> index b1468ed..958dc49 100644
> --- a/policy/modules/services/rpc.te
> +++ b/policy/modules/services/rpc.te
> @@ -158,7 +158,7 @@ tunable_policy(`nfs_export_all_rw',`
> dev_getattr_all_chr_files(nfsd_t)
>
> fs_read_noxattr_fs_files(nfsd_t)
> - auth_manage_all_files_except_shadow(nfsd_t)
> + auth_manage_all_files_except_auth_files(nfsd_t)
> ')
>
> tunable_policy(`nfs_export_all_ro',`
> @@ -170,8 +170,8 @@ tunable_policy(`nfs_export_all_ro',`
>
> fs_read_noxattr_fs_files(nfsd_t)
>
> - auth_read_all_dirs_except_shadow(nfsd_t)
> - auth_read_all_files_except_shadow(nfsd_t)
> + auth_read_all_dirs_except_auth_files(nfsd_t)
> + auth_read_all_files_except_auth_files(nfsd_t)
> ')
>
> ########################################
> diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
> index 39015ae..40463c8 100644
> --- a/policy/modules/services/rsync.te
> +++ b/policy/modules/services/rsync.te
> @@ -125,9 +125,9 @@ tunable_policy(`rsync_export_all_ro',`
> fs_read_noxattr_fs_files(rsync_t)
> fs_read_nfs_files(rsync_t)
> fs_read_cifs_files(rsync_t)
> - auth_read_all_dirs_except_shadow(rsync_t)
> - auth_read_all_files_except_shadow(rsync_t)
> - auth_read_all_symlinks_except_shadow(rsync_t)
> + auth_read_all_dirs_except_auth_files(rsync_t)
> + auth_read_all_files_except_auth_files(rsync_t)
> + auth_read_all_symlinks_except_auth_files(rsync_t)
> auth_tunable_read_shadow(rsync_t)
> ')
> auth_can_read_shadow_passwords(rsync_t)
> diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
> index e30bb63..06cc480 100644
> --- a/policy/modules/services/samba.te
> +++ b/policy/modules/services/samba.te
> @@ -450,18 +450,18 @@ tunable_policy(`samba_create_home_dirs',`
>
> tunable_policy(`samba_export_all_ro',`
> fs_read_noxattr_fs_files(smbd_t)
> - auth_read_all_dirs_except_shadow(smbd_t)
> - auth_read_all_files_except_shadow(smbd_t)
> + auth_read_all_dirs_except_auth_files(smbd_t)
> + auth_read_all_files_except_auth_files(smbd_t)
> fs_read_noxattr_fs_files(nmbd_t)
> - auth_read_all_dirs_except_shadow(nmbd_t)
> - auth_read_all_files_except_shadow(nmbd_t)
> + auth_read_all_dirs_except_auth_files(nmbd_t)
> + auth_read_all_files_except_auth_files(nmbd_t)
> ')
>
> tunable_policy(`samba_export_all_rw',`
> fs_read_noxattr_fs_files(smbd_t)
> - auth_manage_all_files_except_shadow(smbd_t)
> + auth_manage_all_files_except_auth_files(smbd_t)
> fs_read_noxattr_fs_files(nmbd_t)
> - auth_manage_all_files_except_shadow(nmbd_t)
> + auth_manage_all_files_except_auth_files(nmbd_t)
> userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
> ')
>
> diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
> index 3d8d1b3..dd82b1c 100644
> --- a/policy/modules/services/snmp.te
> +++ b/policy/modules/services/snmp.te
> @@ -99,7 +99,7 @@ storage_dontaudit_read_fixed_disk(snmpd_t)
> storage_dontaudit_read_removable_device(snmpd_t)
>
> auth_use_nsswitch(snmpd_t)
> -auth_read_all_dirs_except_shadow(snmpd_t)
> +auth_read_all_dirs_except_auth_files(snmpd_t)
>
> init_read_utmp(snmpd_t)
> init_dontaudit_write_utmp(snmpd_t)
> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> index 73554ec..7f224a2 100644
> --- a/policy/modules/system/authlogin.if
> +++ b/policy/modules/system/authlogin.if
> @@ -1169,12 +1169,12 @@ interface(`auth_delete_pam_console_data',`
> ##
> ##
> #
> -interface(`auth_read_all_dirs_except_shadow',`
> +interface(`auth_read_all_dirs_except_auth_files',`
> gen_require(`
> - type shadow_t;
> + attribute auth_file_type;
> ')
>
> - files_read_all_dirs_except($1, $2 -shadow_t)
> + files_read_all_dirs_except($1, $2 -auth_file_type)
> ')
>
> ########################################
> @@ -1195,12 +1195,12 @@ interface(`auth_read_all_dirs_except_shadow',`
> ##
> ##
> #
> -interface(`auth_read_all_files_except_shadow',`
> +interface(`auth_read_all_files_except_auth_files',`
> gen_require(`
> - type shadow_t;
> + attribute auth_file_type;
> ')
>
> - files_read_all_files_except($1, $2 -shadow_t)
> + files_read_all_files_except($1, $2 -auth_file_type)
> ')
>
> ########################################
> @@ -1220,12 +1220,12 @@ interface(`auth_read_all_files_except_shadow',`
> ##
> ##
> #
> -interface(`auth_read_all_symlinks_except_shadow',`
> +interface(`auth_read_all_symlinks_except_auth_files',`
> gen_require(`
> - type shadow_t;
> + attribute auth_file_type;
> ')
>
> - files_read_all_symlinks_except($1, $2 -shadow_t)
> + files_read_all_symlinks_except($1, $2 -auth_file_type)
> ')
>
> ########################################
> @@ -1246,7 +1246,7 @@ interface(`auth_read_all_symlinks_except_shadow',`
> ##
> #
>
> -interface(`auth_relabel_all_files_except_shadow',`
> +interface(`auth_relabel_all_files_except_auth_files',`
> gen_require(`
> type shadow_t;
> ')
> @@ -1272,12 +1272,12 @@ interface(`auth_relabel_all_files_except_shadow',`
> ##
> #
>
> -interface(`auth_rw_all_files_except_shadow',`
> +interface(`auth_rw_all_files_except_auth_files',`
> gen_require(`
> - type shadow_t;
> + attribute auth_file_type;
> ')
>
> - files_rw_all_files($1, $2 -shadow_t)
> + files_rw_all_files($1, $2 -auth_file_type)
> ')
>
> ########################################
> @@ -1298,12 +1298,12 @@ interface(`auth_rw_all_files_except_shadow',`
> ##
> #
>
> -interface(`auth_manage_all_files_except_shadow',`
> +interface(`auth_manage_all_files_except_auth_files,`
> gen_require(`
> - type shadow_t;
> + attribute auth_file_type;
> ')
>
> - files_manage_all_files($1, $2 -shadow_t)
> + files_manage_all_files($1, $2 -auth_file_type)
> ')
None of these interface renames are permissible, as it breaks
compatibility. You need to add new interfaces, and deprecateto the
"except_shadow" interfaces (see libs_use_lib_files() for an example).
> ########################################
> diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
> index b7a5f00..00b9e8d 100644
> --- a/policy/modules/system/authlogin.te
> +++ b/policy/modules/system/authlogin.te
> @@ -1,10 +1,9 @@
> -policy_module(authlogin, 2.2.1)
> -
I don't know why you would be doing this.
> ########################################
> #
> # Declarations
> #
>
> +attribute auth_file_type;
> attribute can_read_shadow_passwords;
> attribute can_write_shadow_passwords;
> attribute can_relabelto_shadow_passwords;
> @@ -50,7 +49,7 @@ type pam_var_run_t;
> files_pid_file(pam_var_run_t)
>
> type shadow_t;
> -files_security_file(shadow_t)
> +files_auth_file(shadow_t)
> neverallow ~can_read_shadow_passwords shadow_t:file read;
> neverallow ~can_write_shadow_passwords shadow_t:file { create write };
> neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 15832c7..66aa503 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -142,8 +142,8 @@ ifdef(`distro_ubuntu',`
> ')
>
> tunable_policy(`allow_mount_anyfile',`
> - auth_read_all_dirs_except_shadow(mount_t)
> - auth_read_all_files_except_shadow(mount_t)
> + auth_read_all_dirs_except_auth_files(mount_t)
> + auth_read_all_files_except_auth_files(mount_t)
> files_mounton_non_security(mount_t)
> ')
>
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index 7ed9819..bef1885 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -323,8 +323,8 @@ selinux_compute_create_context(restorecond_t)
> selinux_compute_relabel_context(restorecond_t)
> selinux_compute_user_contexts(restorecond_t)
>
> -auth_relabel_all_files_except_shadow(restorecond_t )
> -auth_read_all_files_except_shadow(restorecond_t)
> +auth_relabel_all_files_except_auth_files(restorecond_t )
> +auth_read_all_files_except_auth_files(restorecond_t)
> auth_use_nsswitch(restorecond_t)
>
> locallogin_dontaudit_use_fds(restorecond_t)
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 4b2878a..a64b4e0 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -1133,9 +1133,9 @@ template(`userdom_admin_user_template',`
>
> auth_getattr_shadow($1_t)
> # Manage almost all files
> - auth_manage_all_files_except_shadow($1_t)
> + auth_manage_all_files_except_auth_files($1_t)
> # Relabel almost all files
> - auth_relabel_all_files_except_shadow($1_t)
> + auth_relabel_all_files_except_auth_files($1_t)
>
> init_telinit($1_t)
>
> @@ -1223,7 +1223,7 @@ template(`userdom_security_admin_template',`
> selinux_set_all_booleans($1)
> selinux_set_parameters($1)
>
> - auth_relabel_all_files_except_shadow($1)
> + auth_relabel_all_files_except_auth_files($1)
> auth_relabel_shadow($1)
>
> init_exec($1)
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com