From: guido@trentalancia.net (Guido Trentalancia) Date: Fri, 21 Apr 2017 15:33:50 +0200 Subject: [refpolicy] [PATCH] login related stuff take 2 In-Reply-To: <20170421124848.GB2335@julius> References: <20170421091025.kwn5wmevhmoyidj3@athena.coker.com.au> <201704212238.06684.russell@coker.com.au> <20170421124246.GA2335@julius> <20170421124848.GB2335@julius> Message-ID: <81B0E11D-B5E5-41C6-BFF8-91699B40E271@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com It doesn't have a PAM configuration file for the simple reason that it doesn't use PAM... I am now testing the other permissions, it should be easier and safer than just speculating on the possible behavior. I getting a very different behavior! Will get back shortly. Regards, Guido On the 21st April 2017 14:48:48 CEST, Dominick Grift via refpolicy wrote: >On Fri, Apr 21, 2017 at 02:42:46PM +0200, Dominick Grift wrote: >> On Fri, Apr 21, 2017 at 10:38:06PM +1000, Russell Coker via refpolicy >wrote: >> > On Fri, 21 Apr 2017 10:06:29 PM Guido Trentalancia via refpolicy >wrote: >> > > > auth_read_shadow(sulogin_t) >> > > > >> > > >+auth_login_pgm_domain(sulogin_t) >> > > >+kernel_read_crypto_sysctls(sulogin_t) >> > > >+selinux_set_generic_booleans(sulogin_t) >> > > > >> > > >What usage need this access? >> > > >> > > They are dangerous permissions, especially the one that allows to >set the >> > > SELinux booleans! >> > > >> > > Only the system administrator should be permitted to set the >booleans >> > > interactively through the application... >> > >> > Sulogin only runs at the console when something goes wrong in the >early boot >> > process, and the first thing it does is ask for a root password. >> > >> > It's simply impossible for sulogin to do what it does without the >first line, >> > it is a login program. >> >> I don't think its a login program from an authlogin perspective. It >has no pam config here on fedora. There are no default contexts for >sulogin > >Ok i might be wrong here with regard there not being default contexts. >I do believe that it somehow uses default contexts but there does not >seem to be a pam config here > >> >> > >> > The second is used by exim_t, lpr_t, boinc_t, mailman_cgi_t, and >> > user_mail_domain among others. If we need to restrict access to >that then >> > exim_t, lpr_t, boinc_t, mailman_cgi_t, and user_mail_domain all >deal with >> > untrusted data. The domains exim_t, boinc_t, and mailman_cgi_t are >exposed to >> > data from the Internet and have that access. >> > >> > The policy currently has sysadm_shell_domtrans(sulogin_t) which >allows sulogin >> > to execute "bash -c setsebool" or similar. So allowing it to set >booleans >> > directly doesn't really change much. >> > >> > There is simply no possibility to allow sulogin to do what it is >intended to >> > do without granting it access to destroy things (at least >indirectly). If you >> > don't want that then the only option is to remove sulogin. I guess >you could >> > submit a patch with a boolean to deny executing sulogin_exec_t for >init if >> > that's what you want. >> > >> > -- >> > My Main Blog http://etbe.coker.com.au/ >> > My Documents Blog http://doc.coker.com.au/ >> > _______________________________________________ >> > refpolicy mailing list >> > refpolicy at oss.tresys.com >> > http://oss.tresys.com/mailman/listinfo/refpolicy >> >> -- >> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 >> >https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 >> Dominick Grift