From: jason@perfinion.com (Jason Zaman) Date: Sat, 4 Nov 2017 20:46:10 +0800 Subject: [refpolicy] map permissions In-Reply-To: <3850548.JCvBVk9sDr@xev> References: <3850548.JCvBVk9sDr@xev> Message-ID: <20171104124610.GA18513@meriadoc.perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sat, Nov 04, 2017 at 08:17:53PM +1100, Russell Coker via refpolicy wrote: > http://oss.tresys.com/pipermail/refpolicy/2017-May/009534.html > > What happened to the patch from the above message? The glibc implementations > of getpwent(3) and friends map files so I have the following on a test > machine. If we aren't going to add the patch from the above message to allow > map for most read permissions then I think we should do it for etc_t at least > if we aren't going to allow it for all reads. If so we could have a _nomap > variant of interfaces for reading etc_t for the rare programs that can operate > without getpwent(3) etc. > > What do you think? > > As an aside, am I the only person here testing with recent kernels? > > # everything maps etc_t for /etc/passwd and /etc/group > allow chkpwd_t etc_t:file map; > allow chkpwd_t shadow_t:file map; > allow consolekit_t etc_t:file map; > allow local_login_t etc_t:file map; > allow system_sudo_t etc_t:file map; > allow systemd_logind_t etc_t:file map; > allow systemd_tmpfiles_t etc_t:file map; > allow getty_t etc_t:file map; > allow crond_t etc_t:file map; > allow audisp_t etc_t:file map; > allow mon_t etc_t:file map; > allow postfix_bounce_t etc_t:file map; > allow postfix_cleanup_t etc_t:file map; > allow postfix_local_t etc_t:file map; > allow postfix_master_t etc_t:file map; > allow postfix_pickup_t etc_t:file map; > allow postfix_postdrop_t etc_t:file map; > allow postfix_qmgr_t etc_t:file map; > allow semanage_t etc_t:file map; > allow sshd_t etc_t:file map; > allow syslogd_t etc_t:file map; > allow system_dbusd_t etc_t:file map; > allow system_mail_t etc_t:file map; > allow auditd_t etc_t:file map; What does your /etc/nsswitch.conf look like? do you have "compat" for passwd, shadow, group? it maps a lot but doesnt acutally need it. If you switch it to this then you wont get any maps at all: passwd: files shadow: files group: files -- Jason