getpwnam and SELinux
Brian Ginn
BGinn at symark.com
Tue Jul 7 01:23:10 UTC 2009
Thanks for the response!
My RHEL 5.3 box doesn't have the -D option for semodule , so I moved to Fedora 9.
I still don't see a relevant AVC message.
My policy, a sample run, and a test program are shown below.
I get the same results running it unconfined as root.
Note the role statement identified below still shows up with audit2allow, even though it is in the policy
Thanks,
Brian
[root at localhost t]# cat t_getpw.te
policy_module(t_getpw,1.0.0)
type t_getpw_t;
type t_getpw_exec_t;
gen_require(`
type unconfined_t;
')
domain_auto_trans(unconfined_t, t_getpw_exec_t, t_getpw_t )
auth_can_read_shadow_passwords( t_getpw_t );
auth_read_shadow( t_getpw_t );
auth_tunable_read_shadow( t_getpw_t );
auth_use_nsswitch( t_getpw_t );
auth_domtrans_chk_passwd(t_getpw_t)
gen_require(`
type ld_so_cache_t;
type ld_so_t;
type lib_t;
type root_t;
type sshd_t;
type unconfined_devpts_t;
')
#============= t_getpw_t ==============
allow t_getpw_t ld_so_cache_t:file { read getattr };
allow t_getpw_t ld_so_t:file read;
allow t_getpw_t lib_t:dir search;
allow t_getpw_t lib_t:file { read getattr execute };
allow t_getpw_t lib_t:lnk_file read;
allow t_getpw_t root_t:dir search;
allow t_getpw_t sshd_t:fd use;
allow t_getpw_t t_getpw_exec_t:file entrypoint;
allow t_getpw_t unconfined_devpts_t:chr_file { read write getattr };
allow t_getpw_t unconfined_t:fd use;
allow t_getpw_t unconfined_t:process sigchld;
#============= unconfined_t ==============
allow unconfined_t t_getpw_t:dir { getattr search };
allow unconfined_t t_getpw_t:file read;
allow unconfined_t t_getpw_t:process { siginh getattr rlimitinh noatsecure };
#curiously, this role statement still shows up with audit2allow:
role unconfined_r types t_getpw_exec_t;
#=========== pam_t and vmware_host_t are probably not related
#=========== but always show up in audit.log
gen_require(`
type pam_t;
type initrc_var_run_t;
type vmware_host_t;
type xdm_xserver_t;
')
#============= pam_t ==============
allow pam_t initrc_var_run_t:file write;
#============= vmware_host_t ==============
allow vmware_host_t t_getpw_t:dir { search getattr };
allow vmware_host_t t_getpw_t:file read;
allow vmware_host_t xdm_xserver_t:process ptrace;
[root at localhost t]# cat t_getpw.fc
/usr/local/bin/t_getpwnam -- gen_context(system_u:object_r:t_getpw_exec_t,s0)
[root at localhost t]#
Loading Policy
+ /usr/sbin/semodule -i t_getpw.pp
+ '[' 0 -ne 0 ']'
+ /sbin/restorecon -F -R -v /usr/local/bin/t_getpwnam
/sbin/restorecon reset /usr/local/bin/t_getpwnam context unconfined_u:object_r:bin_t:s0->system_u:object_r:t_getpw_exec_t:s0
+ setenforce 1
+ setenforce 0
+ semodule -DB
[root at localhost t]# /usr/local/bin/t_getpwnam bginn
Calling getpwnam for user: bginn
USER:bginn UID:500 pwd:x
DONE.
[root at localhost t]# cat /var/log/audit/audit.log
type=AVC msg=audit(1246903716.331:18364): avc: denied { ptrace } for pid=1665 comm="vmware-guestd" scontext=system_u:system_r:vmware_host_t:s0 tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1246903716.331:18364): arch=c000003e syscall=89 per=400000 success=yes exit=19 a0=7fff06c1c7b0 a1=7fff06c1b7a0 a2=1000 a3=0 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmware-guestd" exe="/usr/lib/vmware-tools/sbin64/vmware-guestd" subj=system_u:system_r:vmware_host_t:s0 key=(null)
type=SELINUX_ERR msg=audit(1246903718.119:18365): security_compute_sid: invalid context unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:t_getpw_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1246903718.119:18365): arch=c000003e syscall=59 success=yes exit=0 a0=bfcbd0 a1=c06760 a2=c06cb0 a3=8 items=0 ppid=16180 pid=16315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=6 comm="t_getpwnam" exe="/usr/local/bin/t_getpwnam" subj=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1246903726.351:18366): avc: denied { search } for pid=1665 comm="vmware-guestd" name="16315" dev=proc ino=83606 scontext=system_u:system_r:vmware_host_t:s0 tcontext=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1246903726.351:18366): avc: denied { read } for pid=1665 comm="vmware-guestd" name="cmdline" dev=proc ino=83608 scontext=system_u:system_r:vmware_host_t:s0 tcontext=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 tclass=file
type=SYSCALL msg=audit(1246903726.351:18366): arch=c000003e syscall=2 per=400000 success=yes exit=12 a0=7fff06c0b190 a1=0 a2=13 a3=8101010101010100 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmware-guestd" exe="/usr/lib/vmware-tools/sbin64/vmware-guestd" subj=system_u:system_r:vmware_host_t:s0 key=(null)
type=AVC msg=audit(1246903726.352:18367): avc: denied { getattr } for pid=1665 comm="vmware-guestd" path="/proc/16315" dev=proc ino=83606 scontext=system_u:system_r:vmware_host_t:s0 tcontext=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 tclass=dir
type=SYSCALL msg=audit(1246903726.352:18367): arch=c000003e syscall=4 per=400000 success=yes exit=0 a0=7fff06c0b190 a1=7fff06c0b590 a2=7fff06c0b590 a3=0 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmware-guestd" exe="/usr/lib/vmware-tools/sbin64/vmware-guestd" subj=system_u:system_r:vmware_host_t:s0 key=(null)
[root at localhost t]# cat /var/log/audit/audit.log| audit2allow
#============= vmware_host_t ==============
allow vmware_host_t t_getpw_t:dir { search getattr };
allow vmware_host_t t_getpw_t:file read;
allow vmware_host_t xdm_xserver_t:process ptrace;
=========== ROLES ===============
role unconfined_r types t_getpw_exec_t;
[root at localhost t]#
[root at localhost t]# cat t_getpwnam.c
#include <stdlib.h>
#include <pwd.h>
#include <sys/types.h>
#include <stdio.h>
int main( int argc, char** argv )
{
struct passwd *p;
char* user = NULL;
sleep(9);
if( argc != 2 )
{
printf("must have username as argument\n");
exit(1);
}
user = argv[1];
printf("Calling getpwnam for user: %s\n", user);
setpwent();
p = getpwnam( user );
if( p == NULL )
{
printf("User not found (or error).\n");
}else{
printf("USER:%s UID:%d pwd:%s\n", p->pw_name, p->pw_uid, p->pw_passwd );
}
endpwent();
printf("DONE.\n");
return( 0 );
}
[root at localhost t]#
-----Original Message-----
From: Stephen Smalley [mailto:sds at tycho.nsa.gov]
Sent: Thursday, July 02, 2009 4:53 AM
To: Brian Ginn
Cc: 'fedora-selinux-list at redhat.com'
Subject: Re: getpwnam and SELinux
On Wed, 2009-07-01 at 16:15 -0700, Brian Ginn wrote:
> I have an app that I'm trying to confine.
>
>
>
> In enforcing mode, getpwnam() returns "X" for the pw_passwd field.
>
>
>
> Is there SELinux policy to allow this app to get the shadow passwd?
>
> I've tried the following without success:
>
> auth_can_read_shadow_passwords( )
>
> auth_read_shadow( )
>
> auth_tunable_read_shadow( )
>
> auth_use_nsswitch( )
Can you show us the actual denial? Run semodule -DB first if you don't
get any denials, and then run semodule -B afterward. Also, post
your .te file.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list