From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 21 Aug 2013 09:29:12 -0400 Subject: [refpolicy] [PATCH 1/1] Allow su to get selinux mount info In-Reply-To: <20130815121952.GA18165@siphos.be> References: <20130815121952.GA18165@siphos.be> Message-ID: <5214C0A8.4050603@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/15/2013 08:19 AM, Sven Vermeulen wrote: > While trying to authenticate using "su", the authentication fails with the > following error: > > ~$ su - > su: Authentication service cannot retrieve authentication info > > In the audit log, we notice the following denial (after disabling dontaudits): > > type=AVC msg=audit(1376567915.011:8005): avc: denied { getattr } for > pid=10640 comm="su" name="/" dev="selinuxfs" ino=1 > scontext=staff_u:staff_r:staff_su_t tcontext=system_u:object_r:security_t > tclass=filesystem > > Allowing selinux_get_fs_mount() against $1_su_t is enough for su to succeed > again. > > This is probably specific to Gentoo so using an ifdef(`distro_gentoo',`...') > block. My suspicion is that this is from pam_unix.so, so is probably not specific to Gentoo. If so, we should probably use seutil_libselinux_linked(). This also made me think that we should consider making an authlogin interface, something like auth_use_pam_unix() so we can gather all these accesses that are due to the pam config, rather than having them scattered among the domains that use PAM. > Signed-off-by: Sven Vermeulen > --- > policy/modules/admin/su.if | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if > index 03ec5ca..db7940c 100644 > --- a/policy/modules/admin/su.if > +++ b/policy/modules/admin/su.if > @@ -91,6 +91,10 @@ template(`su_restricted_domain_template', ` > > miscfiles_read_localization($1_su_t) > > + ifdef(`distro_gentoo',` > + selinux_get_fs_mount($1_su_t) > + ') > + > ifdef(`distro_redhat',` > # RHEL5 and possibly newer releases incl. Fedora > auth_domtrans_upd_passwd($1_su_t) > @@ -233,6 +237,10 @@ template(`su_role_template',` > userdom_use_user_terminals($1_su_t) > userdom_search_user_home_dirs($1_su_t) > > + ifdef(`distro_gentoo',` > + selinux_get_fs_mount($1_su_t) > + ') > + > ifdef(`distro_redhat',` > # RHEL5 and possibly newer releases incl. Fedora > auth_domtrans_upd_passwd($1_su_t) > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com