From: dwalsh@redhat.com (Daniel J Walsh)
Date: Tue, 27 Mar 2012 16:31:31 -0400
Subject: [refpolicy] chsh (chfn_t) to access /etc/.pwd.lock (shadow_t) ?
In-Reply-To: <20120327192447.GA2101@siphos.be>
References: <20120327192447.GA2101@siphos.be>
Message-ID: <4F7223A3.9090409@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/27/2012 03:24 PM, Sven Vermeulen wrote:
> In Gentoo, we notice that recent shadow package (version 4.1.5) has a change in behavior for changing account information through chsh. Although the application only edits /etc/passwd entries, it now uses the /etc/.pwd.lock file to prevent concurrent changes to the /etc/passwd (and other account-related files).
> 
> In the current policy however, /etc/.pwd.lock is marked as shadow_t, so the chsh application (running in chfn_t) does not have the proper privileges to work on this. As a result, it fails to update /etc/passwd entries.
> 
> As I'm not going to give it read/write access to shadow_t files, one other possibility would be to mark /etc/.pwd.lock as etc_t. But I can imagine that it was given shadow_t on purpose previously, probably to prevent a malicious program (that has write access to etc_t) to update the lock file so concurrent write operations on /etc/shadow could result in corruption...
> 
> Another solution would be to patch chsh itself to use a different lock file, but unless it's accepted upstream, it's only a "local" remedy.
> 
> A third solution would be to create and use a different type for it, like etc_auth_lock_t or whatever imagination can bring to life, and update the policies of all domains that need access to it towards it.
> 
> Any thoughts on this?
> 
> Wkr, Sven Vermeulen
> 
> _______________________________________________ refpolicy mailing list refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
Being able to write to etc_t is basically the same as being able to write to shadow_t, if /etc/passwd is labeled as etc_t.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9yI6MACgkQrlYvE4MpobPOegCg6i+NN+phGriaJl5W4/5N9xB5
16EAn27LFy9tO/aO+UEw5HXIjjrmqNHX
=oEnZ
-----END PGP SIGNATURE-----