From: dac.override@gmail.com (Dominick Grift) Date: Fri, 21 Apr 2017 16:04:43 +0200 Subject: [refpolicy] [PATCH] login related stuff take 2 In-Reply-To: <16C6159B-E15B-44E5-AFEC-2FB1FFBA339C@trentalancia.net> References: <20170421091025.kwn5wmevhmoyidj3@athena.coker.com.au> <201704212238.06684.russell@coker.com.au> <20170421124246.GA2335@julius> <20170421124848.GB2335@julius> <81B0E11D-B5E5-41C6-BFF8-91699B40E271@trentalancia.net> <20170421134201.GC2335@julius> <16C6159B-E15B-44E5-AFEC-2FB1FFBA339C@trentalancia.net> Message-ID: <20170421140443.GD2335@julius> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, Apr 21, 2017 at 03:47:35PM +0200, Guido Trentalancia via refpolicy wrote: > I confirm that such auth permission is not needed. It uses shadow directly and it already has the appropriate auth_read_shadow() interface call! > > I am now checking the details... There seems to be bug though in refpolicy in refpolicy sulogin seems to use an auto type transition to sysadm_t but , atleast in fedora, sulogin does actually look up default contexts if you add system_r:sulogin_t:s0 sysadm_r:sysadm_t:s0 to contexts/users/sysadm_u then sulogin will try to manually transition to that context provided that it has the permisisons to do so. So its not a authlogin login program but it is selinux aware > > On the 21st of April 2017 15:42:01 CEST, Dominick Grift via refpolicy wrote: > >On Fri, Apr 21, 2017 at 03:33:50PM +0200, Guido Trentalancia via > >refpolicy wrote: > >> It doesn't have a PAM configuration file for the simple reason that > >it doesn't use PAM... > > > >And thus it is not a authlogin login program > > > >> > >> I am now testing the other permissions, it should be easier and safer > >than just speculating on the possible behavior. > >> > >> I getting a very different behavior! > >> > >> Will get back shortly. > >> > >> Regards, > >> > >> Guido > >> > >> On the 21st April 2017 14:48:48 CEST, Dominick Grift via refpolicy > > wrote: > >> >On Fri, Apr 21, 2017 at 02:42:46PM +0200, Dominick Grift wrote: > >> >> On Fri, Apr 21, 2017 at 10:38:06PM +1000, Russell Coker via > >refpolicy > >> >wrote: > >> >> > On Fri, 21 Apr 2017 10:06:29 PM Guido Trentalancia via refpolicy > >> >wrote: > >> >> > > > auth_read_shadow(sulogin_t) > >> >> > > > > >> >> > > >+auth_login_pgm_domain(sulogin_t) > >> >> > > >+kernel_read_crypto_sysctls(sulogin_t) > >> >> > > >+selinux_set_generic_booleans(sulogin_t) > >> >> > > > > >> >> > > >What usage need this access? > >> >> > > > >> >> > > They are dangerous permissions, especially the one that allows > >to > >> >set the > >> >> > > SELinux booleans! > >> >> > > > >> >> > > Only the system administrator should be permitted to set the > >> >booleans > >> >> > > interactively through the application... > >> >> > > >> >> > Sulogin only runs at the console when something goes wrong in > >the > >> >early boot > >> >> > process, and the first thing it does is ask for a root password. > >> >> > > >> >> > It's simply impossible for sulogin to do what it does without > >the > >> >first line, > >> >> > it is a login program. > >> >> > >> >> I don't think its a login program from an authlogin perspective. > >It > >> >has no pam config here on fedora. There are no default contexts for > >> >sulogin > >> > > >> >Ok i might be wrong here with regard there not being default > >contexts. > >> >I do believe that it somehow uses default contexts but there does > >not > >> >seem to be a pam config here > >> > > >> >> > >> >> > > >> >> > The second is used by exim_t, lpr_t, boinc_t, mailman_cgi_t, and > > > >> >> > user_mail_domain among others. If we need to restrict access to > >> >that then > >> >> > exim_t, lpr_t, boinc_t, mailman_cgi_t, and user_mail_domain all > >> >deal with > >> >> > untrusted data. The domains exim_t, boinc_t, and mailman_cgi_t > >are > >> >exposed to > >> >> > data from the Internet and have that access. > >> >> > > >> >> > The policy currently has sysadm_shell_domtrans(sulogin_t) which > >> >allows sulogin > >> >> > to execute "bash -c setsebool" or similar. So allowing it to > >set > >> >booleans > >> >> > directly doesn't really change much. > >> >> > > >> >> > There is simply no possibility to allow sulogin to do what it is > >> >intended to > >> >> > do without granting it access to destroy things (at least > >> >indirectly). If you > >> >> > don't want that then the only option is to remove sulogin. I > >guess > >> >you could > >> >> > submit a patch with a boolean to deny executing sulogin_exec_t > >for > >> >init if > >> >> > that's what you want. > >> >> > > >> >> > -- > >> >> > My Main Blog http://etbe.coker.com.au/ > >> >> > My Documents Blog http://doc.coker.com.au/ > >> >> > _______________________________________________ > >> >> > refpolicy mailing list > >> >> > refpolicy at oss.tresys.com > >> >> > http://oss.tresys.com/mailman/listinfo/refpolicy > >> >> > >> >> -- > >> >> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B > >6B02 > >> >> > >> > >>https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > >> >> Dominick Grift > >> > >> _______________________________________________ > >> refpolicy mailing list > >> refpolicy at oss.tresys.com > >> http://oss.tresys.com/mailman/listinfo/refpolicy > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170421/e4a6529b/attachment-0001.bin