From: guido@trentalancia.net (Guido Trentalancia) Date: Fri, 21 Apr 2017 21:18:01 +0200 Subject: [refpolicy] [PATCH] locallogin: fix the sulogin submodule (emergency shell!) Message-ID: <1492802281.4493.1.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch fixes the policy for sulogin. It is very important because without this patch, sulogin cannot work properly and it should be considered that it is used as an emergency shell when there are serious consistency errors in the system, so it constitutes the only way to recover the system in such circumstances. Nowadays, sulogin never uses PAM (at least not the official one from util-linux), so obsolete, confusing and buggy policy has been removed. Extensive testing carried out while creating this patch indicates that there aren't other permissions needed to successfully run sulogin. Signed-off-by: Guido Trentalancia --- policy/modules/system/locallogin.te | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) --- a/policy/modules/system/locallogin.te 2017-02-04 19:30:17.000000000 +0100 +++ b/policy/modules/system/locallogin.te 2017-04-21 21:01:04.693531271 +0200 @@ -210,8 +210,8 @@ optional_policy(` # Sulogin local policy # -allow sulogin_t self:capability dac_override; -allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow sulogin_t self:capability { dac_override sys_admin sys_tty_config }; +allow sulogin_t self:process ~{ ptrace setcurrent setfscreate setrlimit execmem execstack execheap }; allow sulogin_t self:fd use; allow sulogin_t self:fifo_file rw_fifo_file_perms; allow sulogin_t self:unix_dgram_socket create_socket_perms; @@ -224,6 +224,9 @@ allow sulogin_t self:msgq create_msgq_pe allow sulogin_t self:msg { send receive }; kernel_read_system_state(sulogin_t) +kernel_read_crypto_sysctls(sulogin_t) +kernel_stream_connect(sulogin_t) +kernel_use_fds(sulogin_t) # because file systems are not mounted: kernel_dontaudit_search_unlabeled(sulogin_t) @@ -234,10 +237,13 @@ files_read_etc_files(sulogin_t) auth_read_shadow(sulogin_t) +init_getpgid(sulogin_t) init_getpgid_script(sulogin_t) logging_send_syslog_msg(sulogin_t) +miscfiles_read_localization(sulogin_t) + seutil_read_config(sulogin_t) seutil_read_default_contexts(sulogin_t) @@ -248,15 +254,12 @@ userdom_use_user_ptys(sulogin_t) sysadm_shell_domtrans(sulogin_t) -# suse and debian do not use pam with sulogin... -ifdef(`distro_suse', `define(`sulogin_no_pam')') -ifdef(`distro_debian', `define(`sulogin_no_pam')') - -ifdef(`sulogin_no_pam', ` - allow sulogin_t self:capability sys_tty_config; - init_getpgid(sulogin_t) -', ` - allow sulogin_t self:process setexec; +term_use_console(sulogin_t) +term_use_unallocated_ttys(sulogin_t) + +# by default, sulogin does not use pam... +# sulogin_pam might need to be defined otherwise +ifdef(`sulogin_pam', ` selinux_get_fs_mount(sulogin_t) selinux_validate_context(sulogin_t) selinux_compute_access_vector(sulogin_t)