From: aranea@aixah.de (Luis Ressel) Date: Mon, 11 Sep 2017 03:31:33 +0200 Subject: [refpolicy] file map perm issues In-Reply-To: <20170911010112.GA17876@meriadoc.perfinion.com> References: <20170910124023.GA29705@meriadoc.perfinion.com> <20170910192246.6861edb9@vega.skynet.aixah.de> <20170911021529.0785af0e@vega.skynet.aixah.de> <20170911010112.GA17876@meriadoc.perfinion.com> Message-ID: <20170911033133.07d7ebcf@vega.skynet.aixah.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 11 Sep 2017 09:01:12 +0800 Jason Zaman via refpolicy wrote: > On Mon, Sep 11, 2017 at 02:15:29AM +0200, Luis Ressel wrote: > > On Sun, 10 Sep 2017 19:22:46 +0200 > > Luis Ressel via refpolicy wrote: > > > > > On Sun, 10 Sep 2017 20:40:23 +0800 > > > Jason Zaman via refpolicy wrote: > > > > > > > Lastly, Ive seen a whole ton of domains need allow foo > > > > etc_t:file map; and the audit logs show /etc/passwd as the file > > > > being accessed. I'm fairly certain this is from nsswitch. Can > > > > someone else verify too? strace (below) and the fact that there > > > > is a very strong correlation with domains that contain > > > > nsswitch_domain. > > > > > > I'm seeing those too, for pretty much all nsswitch domains. Also > > > on gentoo, with glibc 2.23. > > > > I found out why only perfinion and me got these denials: They only > > occur when files, group or shadow are set to "compat" mode > > in /etc/nsswitch.conf. Unless someone still has a valid usecase for > > said compat mode, I'd suggest not adding the map permission here. > > > > Cheers, > > Luis Ressel > > Nicholas said he has tons of map denials on /etc/passwd too on Arch. > at the very least I think it should be a tunable. if the default > config is map in gentoo i'll almost definitely have to enable it by > default otherwise machines wont even boot before you can set the > tunable. Actually, I was able to boot and login even when I'd still set nsswitch to compat mode. I haven't checked the code, but it apparently falls back to read(). Regards, Luis Ressel -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170911/02870e82/attachment.bin