From: pebenito@ieee.org (Chris PeBenito)
Date: Mon, 11 Sep 2017 20:00:09 -0400
Subject: [refpolicy] file map perm issues
In-Reply-To: <20170911033133.07d7ebcf@vega.skynet.aixah.de>
References: <20170910124023.GA29705@meriadoc.perfinion.com>
	<20170910192246.6861edb9@vega.skynet.aixah.de>
	<20170911021529.0785af0e@vega.skynet.aixah.de>
	<20170911010112.GA17876@meriadoc.perfinion.com>
	<20170911033133.07d7ebcf@vega.skynet.aixah.de>
Message-ID: <a0857f13-9fb3-0267-2f96-e1145e932848@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/10/2017 09:31 PM, Luis Ressel via refpolicy wrote:
> On Mon, 11 Sep 2017 09:01:12 +0800
> Jason Zaman via refpolicy <refpolicy@oss.tresys.com> wrote:
> 
>> On Mon, Sep 11, 2017 at 02:15:29AM +0200, Luis Ressel wrote:
>>> On Sun, 10 Sep 2017 19:22:46 +0200
>>> Luis Ressel via refpolicy <refpolicy@oss.tresys.com> wrote:
>>>    
>>>> On Sun, 10 Sep 2017 20:40:23 +0800
>>>> Jason Zaman via refpolicy <refpolicy@oss.tresys.com> wrote:
>>>>    
>>>>> Lastly, Ive seen a whole ton of domains need allow foo
>>>>> etc_t:file map; and the audit logs show /etc/passwd as the file
>>>>> being accessed.  I'm fairly certain this is from nsswitch. Can
>>>>> someone else verify too? strace (below) and the fact that there
>>>>> is a very strong correlation with domains that contain
>>>>> nsswitch_domain.
>>>>
>>>> I'm seeing those too, for pretty much all nsswitch domains. Also
>>>> on gentoo, with glibc 2.23.
>>>
>>> I found out why only perfinion and me got these denials: They only
>>> occur when files, group or shadow are set to "compat" mode
>>> in /etc/nsswitch.conf. Unless someone still has a valid usecase for
>>> said compat mode, I'd suggest not adding the map permission here.
>>>
>>> Cheers,
>>> Luis Ressel
>>
>> Nicholas said he has tons of map denials on /etc/passwd too on Arch.
>> at the very least I think it should be a tunable. if the default
>> config is map in gentoo i'll almost definitely have to enable it by
>> default otherwise machines wont even boot before you can set the
>> tunable.
> 
> Actually, I was able to boot and login even when I'd still set nsswitch
> to compat mode. I haven't checked the code, but it apparently falls
> back to read().

If that's the case, I'd much rather dontaudit the access, unless there 
is some other bad side effect that we don't know of yet.

-- 
Chris PeBenito