getpwnam and SELinux
Stephen Smalley
sds at tycho.nsa.gov
Tue Jul 7 11:57:05 UTC 2009
On Mon, 2009-07-06 at 18:23 -0700, Brian Ginn wrote:
> Thanks for the response!
>
> My RHEL 5.3 box doesn't have the -D option for semodule , so I moved to Fedora 9.
> I still don't see a relevant AVC message.
>
> My policy, a sample run, and a test program are shown below.
> I get the same results running it unconfined as root.
> Note the role statement identified below still shows up with audit2allow, even though it is in the policy
Hmmm...bug in the policy compiler, maybe?
I don't see unconfined_r in a require block in your policy module. Try
adding:
role unconfined_r;
to the first gen_require() block.
> Thanks,
> Brian
>
>
> [root at localhost t]# cat t_getpw.te
> policy_module(t_getpw,1.0.0)
>
> type t_getpw_t;
> type t_getpw_exec_t;
>
> gen_require(`
> type unconfined_t;
> ')
> domain_auto_trans(unconfined_t, t_getpw_exec_t, t_getpw_t )
>
> auth_can_read_shadow_passwords( t_getpw_t );
> auth_read_shadow( t_getpw_t );
> auth_tunable_read_shadow( t_getpw_t );
> auth_use_nsswitch( t_getpw_t );
> auth_domtrans_chk_passwd(t_getpw_t)
>
> gen_require(`
> type ld_so_cache_t;
> type ld_so_t;
> type lib_t;
> type root_t;
> type sshd_t;
> type unconfined_devpts_t;
> ')
>
> #============= t_getpw_t ==============
> allow t_getpw_t ld_so_cache_t:file { read getattr };
> allow t_getpw_t ld_so_t:file read;
> allow t_getpw_t lib_t:dir search;
> allow t_getpw_t lib_t:file { read getattr execute };
> allow t_getpw_t lib_t:lnk_file read;
> allow t_getpw_t root_t:dir search;
> allow t_getpw_t sshd_t:fd use;
> allow t_getpw_t t_getpw_exec_t:file entrypoint;
> allow t_getpw_t unconfined_devpts_t:chr_file { read write getattr };
> allow t_getpw_t unconfined_t:fd use;
> allow t_getpw_t unconfined_t:process sigchld;
>
> #============= unconfined_t ==============
> allow unconfined_t t_getpw_t:dir { getattr search };
> allow unconfined_t t_getpw_t:file read;
> allow unconfined_t t_getpw_t:process { siginh getattr rlimitinh noatsecure };
>
> #curiously, this role statement still shows up with audit2allow:
> role unconfined_r types t_getpw_exec_t;
>
> #=========== pam_t and vmware_host_t are probably not related
> #=========== but always show up in audit.log
>
> gen_require(`
> type pam_t;
> type initrc_var_run_t;
> type vmware_host_t;
> type xdm_xserver_t;
> ')
> #============= pam_t ==============
> allow pam_t initrc_var_run_t:file write;
>
> #============= vmware_host_t ==============
> allow vmware_host_t t_getpw_t:dir { search getattr };
> allow vmware_host_t t_getpw_t:file read;
> allow vmware_host_t xdm_xserver_t:process ptrace;
>
>
> [root at localhost t]# cat t_getpw.fc
>
> /usr/local/bin/t_getpwnam -- gen_context(system_u:object_r:t_getpw_exec_t,s0)
>
> [root at localhost t]#
>
>
>
>
> Loading Policy
> + /usr/sbin/semodule -i t_getpw.pp
> + '[' 0 -ne 0 ']'
> + /sbin/restorecon -F -R -v /usr/local/bin/t_getpwnam
> /sbin/restorecon reset /usr/local/bin/t_getpwnam context unconfined_u:object_r:bin_t:s0->system_u:object_r:t_getpw_exec_t:s0
> + setenforce 1
> + setenforce 0
> + semodule -DB
> [root at localhost t]# /usr/local/bin/t_getpwnam bginn
> Calling getpwnam for user: bginn
> USER:bginn UID:500 pwd:x
> DONE.
> [root at localhost t]# cat /var/log/audit/audit.log
> type=AVC msg=audit(1246903716.331:18364): avc: denied { ptrace } for pid=1665 comm="vmware-guestd" scontext=system_u:system_r:vmware_host_t:s0 tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=process
> type=SYSCALL msg=audit(1246903716.331:18364): arch=c000003e syscall=89 per=400000 success=yes exit=19 a0=7fff06c1c7b0 a1=7fff06c1b7a0 a2=1000 a3=0 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmware-guestd" exe="/usr/lib/vmware-tools/sbin64/vmware-guestd" subj=system_u:system_r:vmware_host_t:s0 key=(null)
> type=SELINUX_ERR msg=audit(1246903718.119:18365): security_compute_sid: invalid context unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:t_getpw_exec_t:s0 tclass=process
> type=SYSCALL msg=audit(1246903718.119:18365): arch=c000003e syscall=59 success=yes exit=0 a0=bfcbd0 a1=c06760 a2=c06cb0 a3=8 items=0 ppid=16180 pid=16315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=6 comm="t_getpwnam" exe="/usr/local/bin/t_getpwnam" subj=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1246903726.351:18366): avc: denied { search } for pid=1665 comm="vmware-guestd" name="16315" dev=proc ino=83606 scontext=system_u:system_r:vmware_host_t:s0 tcontext=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 tclass=dir
> type=AVC msg=audit(1246903726.351:18366): avc: denied { read } for pid=1665 comm="vmware-guestd" name="cmdline" dev=proc ino=83608 scontext=system_u:system_r:vmware_host_t:s0 tcontext=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 tclass=file
> type=SYSCALL msg=audit(1246903726.351:18366): arch=c000003e syscall=2 per=400000 success=yes exit=12 a0=7fff06c0b190 a1=0 a2=13 a3=8101010101010100 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmware-guestd" exe="/usr/lib/vmware-tools/sbin64/vmware-guestd" subj=system_u:system_r:vmware_host_t:s0 key=(null)
> type=AVC msg=audit(1246903726.352:18367): avc: denied { getattr } for pid=1665 comm="vmware-guestd" path="/proc/16315" dev=proc ino=83606 scontext=system_u:system_r:vmware_host_t:s0 tcontext=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 tclass=dir
> type=SYSCALL msg=audit(1246903726.352:18367): arch=c000003e syscall=4 per=400000 success=yes exit=0 a0=7fff06c0b190 a1=7fff06c0b590 a2=7fff06c0b590 a3=0 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmware-guestd" exe="/usr/lib/vmware-tools/sbin64/vmware-guestd" subj=system_u:system_r:vmware_host_t:s0 key=(null)
> [root at localhost t]# cat /var/log/audit/audit.log| audit2allow
>
>
> #============= vmware_host_t ==============
> allow vmware_host_t t_getpw_t:dir { search getattr };
> allow vmware_host_t t_getpw_t:file read;
> allow vmware_host_t xdm_xserver_t:process ptrace;
>
> =========== ROLES ===============
> role unconfined_r types t_getpw_exec_t;
> [root at localhost t]#
>
>
>
> [root at localhost t]# cat t_getpwnam.c
> #include <stdlib.h>
> #include <pwd.h>
> #include <sys/types.h>
> #include <stdio.h>
>
> int main( int argc, char** argv )
> {
> struct passwd *p;
> char* user = NULL;
>
> sleep(9);
>
> if( argc != 2 )
> {
> printf("must have username as argument\n");
> exit(1);
> }
>
> user = argv[1];
>
> printf("Calling getpwnam for user: %s\n", user);
>
> setpwent();
> p = getpwnam( user );
> if( p == NULL )
> {
> printf("User not found (or error).\n");
> }else{
> printf("USER:%s UID:%d pwd:%s\n", p->pw_name, p->pw_uid, p->pw_passwd );
> }
> endpwent();
>
> printf("DONE.\n");
> return( 0 );
> }
> [root at localhost t]#
>
>
>
>
> -----Original Message-----
> From: Stephen Smalley [mailto:sds at tycho.nsa.gov]
> Sent: Thursday, July 02, 2009 4:53 AM
> To: Brian Ginn
> Cc: 'fedora-selinux-list at redhat.com'
> Subject: Re: getpwnam and SELinux
>
> On Wed, 2009-07-01 at 16:15 -0700, Brian Ginn wrote:
> > I have an app that I'm trying to confine.
> >
> >
> >
> > In enforcing mode, getpwnam() returns "X" for the pw_passwd field.
> >
> >
> >
> > Is there SELinux policy to allow this app to get the shadow passwd?
> >
> > I've tried the following without success:
> >
> > auth_can_read_shadow_passwords( )
> >
> > auth_read_shadow( )
> >
> > auth_tunable_read_shadow( )
> >
> > auth_use_nsswitch( )
>
> Can you show us the actual denial? Run semodule -DB first if you don't
> get any denials, and then run semodule -B afterward. Also, post
> your .te file.
>
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list