From: dwalsh@redhat.com (Daniel J Walsh) Date: Wed, 28 Mar 2012 13:15:58 -0400 Subject: [refpolicy] chsh (chfn_t) to access /etc/.pwd.lock (shadow_t) ? In-Reply-To: <20120328165245.GA3116@siphos.be> References: <20120327192447.GA2101@siphos.be> <4F7223A3.9090409@redhat.com> <20120328165245.GA3116@siphos.be> Message-ID: <4F73474E.9010306@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/28/2012 12:52 PM, Sven Vermeulen wrote: > On Tue, Mar 27, 2012 at 04:31:31PM -0400, Daniel J Walsh wrote: >> Being able to write to etc_t is basically the same as being able to write to shadow_t, if /etc/passwd is labeled as etc_t. > > How's that? The passwd file is labeled as etc_t, shadow is labeled as shadow_t. And apparently, .pwd.lock is labeled as shadow_t as well currently. > > I'm pretty sure domains with write privileges to etc_t cannot write to shadow_t... > > Wkr, Sven Vermeulen _______________________________________________ refpolicy mailing list refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy Because I can write a /etc/passwd file entry to allow me to login to root without a password, and then just use a login program to login as root, probably running as a role of sysadmin_t or uncnfined_t -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9zR0wACgkQrlYvE4MpobNJ3ACeJ+dum4qGuDDAmig5w21hJevf UhUAoLQGl56J/jN1LAhP/SFlXzVssLIA =Y7vB -----END PGP SIGNATURE-----