From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Tue, 27 Mar 2012 21:24:47 +0200 Subject: [refpolicy] chsh (chfn_t) to access /etc/.pwd.lock (shadow_t) ? Message-ID: <20120327192447.GA2101@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com In Gentoo, we notice that recent shadow package (version 4.1.5) has a change in behavior for changing account information through chsh. Although the application only edits /etc/passwd entries, it now uses the /etc/.pwd.lock file to prevent concurrent changes to the /etc/passwd (and other account-related files). In the current policy however, /etc/.pwd.lock is marked as shadow_t, so the chsh application (running in chfn_t) does not have the proper privileges to work on this. As a result, it fails to update /etc/passwd entries. As I'm not going to give it read/write access to shadow_t files, one other possibility would be to mark /etc/.pwd.lock as etc_t. But I can imagine that it was given shadow_t on purpose previously, probably to prevent a malicious program (that has write access to etc_t) to update the lock file so concurrent write operations on /etc/shadow could result in corruption... Another solution would be to patch chsh itself to use a different lock file, but unless it's accepted upstream, it's only a "local" remedy. A third solution would be to create and use a different type for it, like etc_auth_lock_t or whatever imagination can bring to life, and update the policies of all domains that need access to it towards it. Any thoughts on this? Wkr, Sven Vermeulen