From: dac.override@gmail.com (Dominick Grift) Date: Tue, 12 Sep 2017 08:27:05 +0200 Subject: [refpolicy] file map perm issues In-Reply-To: References: <20170910124023.GA29705@meriadoc.perfinion.com> <20170910192246.6861edb9@vega.skynet.aixah.de> <20170911021529.0785af0e@vega.skynet.aixah.de> <20170911010112.GA17876@meriadoc.perfinion.com> <20170911033133.07d7ebcf@vega.skynet.aixah.de> Message-ID: <20170912062705.GA6678@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Sep 11, 2017 at 08:00:09PM -0400, Chris PeBenito via refpolicy wrote: > On 09/10/2017 09:31 PM, Luis Ressel via refpolicy wrote: > > On Mon, 11 Sep 2017 09:01:12 +0800 > > Jason Zaman via refpolicy wrote: > > > >> On Mon, Sep 11, 2017 at 02:15:29AM +0200, Luis Ressel wrote: > >>> On Sun, 10 Sep 2017 19:22:46 +0200 > >>> Luis Ressel via refpolicy wrote: > >>> > >>>> On Sun, 10 Sep 2017 20:40:23 +0800 > >>>> Jason Zaman via refpolicy wrote: > >>>> > >>>>> Lastly, Ive seen a whole ton of domains need allow foo > >>>>> etc_t:file map; and the audit logs show /etc/passwd as the file > >>>>> being accessed. I'm fairly certain this is from nsswitch. Can > >>>>> someone else verify too? strace (below) and the fact that there > >>>>> is a very strong correlation with domains that contain > >>>>> nsswitch_domain. > >>>> > >>>> I'm seeing those too, for pretty much all nsswitch domains. Also > >>>> on gentoo, with glibc 2.23. > >>> > >>> I found out why only perfinion and me got these denials: They only > >>> occur when files, group or shadow are set to "compat" mode > >>> in /etc/nsswitch.conf. Unless someone still has a valid usecase for > >>> said compat mode, I'd suggest not adding the map permission here. > >>> > >>> Cheers, > >>> Luis Ressel > >> > >> Nicholas said he has tons of map denials on /etc/passwd too on Arch. > >> at the very least I think it should be a tunable. if the default > >> config is map in gentoo i'll almost definitely have to enable it by > >> default otherwise machines wont even boot before you can set the > >> tunable. > > > > Actually, I was able to boot and login even when I'd still set nsswitch > > to compat mode. I haven't checked the code, but it apparently falls > > back to read(). > > If that's the case, I'd much rather dontaudit the access, unless there > is some other bad side effect that we don't know of yet. One should consider associating a private type with /etc/passwd /etc/group etc. If you now associate a dontaudit map etc_t with all nsswitch domain than theres a big chance that domains that need map on other etc_t type associated file breaks and then it wont be so obvious > > -- > Chris PeBenito > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170912/d6c501cb/attachment-0001.bin