From: guido@trentalancia.net (Guido Trentalancia) Date: Wed, 26 Apr 2017 17:42:31 +0200 Subject: [refpolicy] [PATCH v2] locallogin: fix the sulogin submodule (emergency shell!) In-Reply-To: <20170426130544.GA3729@julius> References: <1492802281.4493.1.camel@trentalancia.net> <1493160602.4469.0.camel@trentalancia.net> <20170426130544.GA3729@julius> Message-ID: <5D3FFC2A-F6BB-4056-AA55-CF89D485F79C@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello. On the 26th of April 2017 15:05:44 CEST, Dominick Grift via refpolicy wrote: >On Wed, Apr 26, 2017 at 12:50:02AM +0200, Guido Trentalancia via >refpolicy wrote: >> This patch fixes the policy for sulogin. It is very important >> because without this patch, sulogin cannot work properly and >> it should be considered that it is used as an emergency shell >> when there are serious consistency errors in the system, so it >> constitutes the only way to recover the system in such >> circumstances. >> >> Nowadays, sulogin never uses PAM (at least not the official one >> from util-linux), so obsolete, confusing and buggy policy has >> been removed. >> >> Extensive testing carried out while creating this patch indicates >> that there aren't other permissions needed to successfully run >> sulogin. >> >> This second version should apply cleanly to the latest git tree. >> >> Signed-off-by: Guido Trentalancia >> --- >> policy/modules/system/locallogin.te | 24 ++++++++++++++---------- >> 1 file changed, 14 insertions(+), 10 deletions(-) >> >> --- a/policy/modules/system/locallogin.te 2017-04-13 >22:04:35.111202539 +0200 >> +++ b/policy/modules/system/locallogin.te 2017-04-26 >00:44:23.028943625 +0200 >> @@ -215,7 +215,8 @@ optional_policy(` >> # Sulogin local policy >> # >> >> -allow sulogin_t self:capability dac_override; >> +allow sulogin_t self:capability { dac_override sys_admin >sys_tty_config }; > >I suspect that cap_sys_admin can be safely dontaudited Yes, I thought the same, but then considering it is a sysadmin shell, I did not even check. Also, remember we probably still have sys_admin for getty which runs unprivileged shells... >> +allow sulogin_t self:process setexec; >> allow sulogin_t self:fd use; >> allow sulogin_t self:fifo_file rw_fifo_file_perms; >> allow sulogin_t self:unix_dgram_socket create_socket_perms; >> @@ -228,6 +229,9 @@ allow sulogin_t self:msgq create_msgq_pe >> allow sulogin_t self:msg { send receive }; >> >> kernel_read_system_state(sulogin_t) >> +kernel_read_crypto_sysctls(sulogin_t) >> +kernel_stream_connect(sulogin_t) >> +kernel_use_fds(sulogin_t) >> # because file systems are not mounted: >> kernel_dontaudit_search_unlabeled(sulogin_t) >> >> @@ -238,10 +242,13 @@ files_read_etc_files(sulogin_t) >> >> auth_read_shadow(sulogin_t) >> >> +init_getpgid(sulogin_t) >> init_getpgid_script(sulogin_t) >> >> logging_send_syslog_msg(sulogin_t) >> >> +miscfiles_read_localization(sulogin_t) >> + >> seutil_read_config(sulogin_t) >> seutil_read_default_contexts(sulogin_t) >> >> @@ -252,15 +259,12 @@ userdom_use_user_ptys(sulogin_t) >> >> sysadm_shell_domtrans(sulogin_t) >> >> -# suse and debian do not use pam with sulogin... >> -ifdef(`distro_suse', `define(`sulogin_no_pam')') >> -ifdef(`distro_debian', `define(`sulogin_no_pam')') >> - >> -ifdef(`sulogin_no_pam', ` >> - allow sulogin_t self:capability sys_tty_config; >> - init_getpgid(sulogin_t) >> -', ` >> - allow sulogin_t self:process setexec; >> +term_use_console(sulogin_t) >> +term_use_unallocated_ttys(sulogin_t) >> + >> +# by default, sulogin does not use pam... >> +# sulogin_pam might need to be defined otherwise >> +ifdef(`sulogin_pam', ` >> selinux_get_fs_mount(sulogin_t) >> selinux_validate_context(sulogin_t) >> selinux_compute_access_vector(sulogin_t) >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy Regards, Guido