From: jason@perfinion.com (Jason Zaman)
Date: Mon, 11 Sep 2017 09:01:12 +0800
Subject: [refpolicy] file map perm issues
In-Reply-To: <20170911021529.0785af0e@vega.skynet.aixah.de>
References: <20170910124023.GA29705@meriadoc.perfinion.com>
	<20170910192246.6861edb9@vega.skynet.aixah.de>
	<20170911021529.0785af0e@vega.skynet.aixah.de>
Message-ID: <20170911010112.GA17876@meriadoc.perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, Sep 11, 2017 at 02:15:29AM +0200, Luis Ressel wrote:
> On Sun, 10 Sep 2017 19:22:46 +0200
> Luis Ressel via refpolicy <refpolicy@oss.tresys.com> wrote:
> 
> > On Sun, 10 Sep 2017 20:40:23 +0800
> > Jason Zaman via refpolicy <refpolicy@oss.tresys.com> wrote:
> > 
> > > Lastly, Ive seen a whole ton of domains need allow foo etc_t:file
> > > map; and the audit logs show /etc/passwd as the file being
> > > accessed.  I'm fairly certain this is from nsswitch. Can someone
> > > else verify too? strace (below) and the fact that there is a very
> > > strong correlation with domains that contain nsswitch_domain.  
> > 
> > I'm seeing those too, for pretty much all nsswitch domains. Also on
> > gentoo, with glibc 2.23.
> 
> I found out why only perfinion and me got these denials: They only
> occur when files, group or shadow are set to "compat" mode
> in /etc/nsswitch.conf. Unless someone still has a valid usecase for
> said compat mode, I'd suggest not adding the map permission here.
> 
> Cheers,
> Luis Ressel

Nicholas said he has tons of map denials on /etc/passwd too on Arch. at
the very least I think it should be a tunable. if the default config is
map in gentoo i'll almost definitely have to enable it by default
otherwise machines wont even boot before you can set the tunable.