From: dwalsh@redhat.com (Daniel J Walsh) Date: Tue, 27 Mar 2012 16:31:31 -0400 Subject: [refpolicy] chsh (chfn_t) to access /etc/.pwd.lock (shadow_t) ? In-Reply-To: <20120327192447.GA2101@siphos.be> References: <20120327192447.GA2101@siphos.be> Message-ID: <4F7223A3.9090409@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/27/2012 03:24 PM, Sven Vermeulen wrote: > In Gentoo, we notice that recent shadow package (version 4.1.5) has a change in behavior for changing account information through chsh. Although the application only edits /etc/passwd entries, it now uses the /etc/.pwd.lock file to prevent concurrent changes to the /etc/passwd (and other account-related files). > > In the current policy however, /etc/.pwd.lock is marked as shadow_t, so the chsh application (running in chfn_t) does not have the proper privileges to work on this. As a result, it fails to update /etc/passwd entries. > > As I'm not going to give it read/write access to shadow_t files, one other possibility would be to mark /etc/.pwd.lock as etc_t. But I can imagine that it was given shadow_t on purpose previously, probably to prevent a malicious program (that has write access to etc_t) to update the lock file so concurrent write operations on /etc/shadow could result in corruption... > > Another solution would be to patch chsh itself to use a different lock file, but unless it's accepted upstream, it's only a "local" remedy. > > A third solution would be to create and use a different type for it, like etc_auth_lock_t or whatever imagination can bring to life, and update the policies of all domains that need access to it towards it. > > Any thoughts on this? > > Wkr, Sven Vermeulen > > _______________________________________________ refpolicy mailing list refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy Being able to write to etc_t is basically the same as being able to write to shadow_t, if /etc/passwd is labeled as etc_t. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9yI6MACgkQrlYvE4MpobPOegCg6i+NN+phGriaJl5W4/5N9xB5 16EAn27LFy9tO/aO+UEw5HXIjjrmqNHX =oEnZ -----END PGP SIGNATURE-----