getpwnam and SELinux

Brian Ginn BGinn at symark.com
Tue Jul 7 01:23:10 UTC 2009


Thanks for the response!

My RHEL 5.3 box doesn't have the -D option for semodule , so I moved to Fedora 9.
I still don't see a relevant AVC message.

My policy, a sample run, and a test program are shown below. 
I get the same results running it unconfined as root.
Note the role statement identified below still shows up with audit2allow, even though it is in the policy


Thanks,
Brian


[root at localhost t]# cat t_getpw.te
policy_module(t_getpw,1.0.0)
 
type t_getpw_t;
type t_getpw_exec_t;
 
gen_require(`
    type unconfined_t;
')
domain_auto_trans(unconfined_t, t_getpw_exec_t, t_getpw_t )
 
auth_can_read_shadow_passwords( t_getpw_t );
auth_read_shadow( t_getpw_t );
auth_tunable_read_shadow( t_getpw_t );
auth_use_nsswitch( t_getpw_t );
auth_domtrans_chk_passwd(t_getpw_t)
 
gen_require(`
    type ld_so_cache_t;
    type ld_so_t;
    type lib_t;
    type root_t;
    type sshd_t;
    type unconfined_devpts_t;
')
 
#============= t_getpw_t ==============
allow t_getpw_t ld_so_cache_t:file { read getattr };
allow t_getpw_t ld_so_t:file read;
allow t_getpw_t lib_t:dir search;
allow t_getpw_t lib_t:file { read getattr execute };
allow t_getpw_t lib_t:lnk_file read;
allow t_getpw_t root_t:dir search;
allow t_getpw_t sshd_t:fd use;
allow t_getpw_t t_getpw_exec_t:file entrypoint;
allow t_getpw_t unconfined_devpts_t:chr_file { read write getattr };
allow t_getpw_t unconfined_t:fd use;
allow t_getpw_t unconfined_t:process sigchld;
 
#============= unconfined_t ==============
allow unconfined_t t_getpw_t:dir { getattr search };
allow unconfined_t t_getpw_t:file read;
allow unconfined_t t_getpw_t:process { siginh getattr rlimitinh noatsecure };

#curiously, this role statement still shows up with audit2allow:
role unconfined_r types t_getpw_exec_t;
 
#=========== pam_t and vmware_host_t are probably not related
#=========== but always show up in audit.log
 
gen_require(`
    type pam_t;
    type initrc_var_run_t;
    type vmware_host_t;
    type xdm_xserver_t;
')
#============= pam_t ==============
allow pam_t initrc_var_run_t:file write;
 
#============= vmware_host_t ==============
allow vmware_host_t t_getpw_t:dir { search getattr };
allow vmware_host_t t_getpw_t:file read;
allow vmware_host_t xdm_xserver_t:process ptrace;
 
 
[root at localhost t]# cat t_getpw.fc
 
/usr/local/bin/t_getpwnam       --      gen_context(system_u:object_r:t_getpw_exec_t,s0)
 
[root at localhost t]#




Loading Policy
+ /usr/sbin/semodule -i t_getpw.pp
+ '[' 0 -ne 0 ']'
+ /sbin/restorecon -F -R -v /usr/local/bin/t_getpwnam
/sbin/restorecon reset /usr/local/bin/t_getpwnam context unconfined_u:object_r:bin_t:s0->system_u:object_r:t_getpw_exec_t:s0
+ setenforce 1
+ setenforce 0
+ semodule -DB
[root at localhost t]# /usr/local/bin/t_getpwnam bginn
Calling getpwnam for user: bginn
USER:bginn  UID:500 pwd:x
DONE.
[root at localhost t]# cat /var/log/audit/audit.log
type=AVC msg=audit(1246903716.331:18364): avc:  denied  { ptrace } for  pid=1665 comm="vmware-guestd" scontext=system_u:system_r:vmware_host_t:s0 tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1246903716.331:18364): arch=c000003e syscall=89 per=400000 success=yes exit=19 a0=7fff06c1c7b0 a1=7fff06c1b7a0 a2=1000 a3=0 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmware-guestd" exe="/usr/lib/vmware-tools/sbin64/vmware-guestd" subj=system_u:system_r:vmware_host_t:s0 key=(null)
type=SELINUX_ERR msg=audit(1246903718.119:18365): security_compute_sid:  invalid context unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:t_getpw_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1246903718.119:18365): arch=c000003e syscall=59 success=yes exit=0 a0=bfcbd0 a1=c06760 a2=c06cb0 a3=8 items=0 ppid=16180 pid=16315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=6 comm="t_getpwnam" exe="/usr/local/bin/t_getpwnam" subj=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1246903726.351:18366): avc:  denied  { search } for  pid=1665 comm="vmware-guestd" name="16315" dev=proc ino=83606 scontext=system_u:system_r:vmware_host_t:s0 tcontext=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 tclass=dir
type=AVC msg=audit(1246903726.351:18366): avc:  denied  { read } for  pid=1665 comm="vmware-guestd" name="cmdline" dev=proc ino=83608 scontext=system_u:system_r:vmware_host_t:s0 tcontext=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 tclass=file
type=SYSCALL msg=audit(1246903726.351:18366): arch=c000003e syscall=2 per=400000 success=yes exit=12 a0=7fff06c0b190 a1=0 a2=13 a3=8101010101010100 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmware-guestd" exe="/usr/lib/vmware-tools/sbin64/vmware-guestd" subj=system_u:system_r:vmware_host_t:s0 key=(null)
type=AVC msg=audit(1246903726.352:18367): avc:  denied  { getattr } for  pid=1665 comm="vmware-guestd" path="/proc/16315" dev=proc ino=83606 scontext=system_u:system_r:vmware_host_t:s0 tcontext=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 tclass=dir 
type=SYSCALL msg=audit(1246903726.352:18367): arch=c000003e syscall=4 per=400000 success=yes exit=0 a0=7fff06c0b190 a1=7fff06c0b590 a2=7fff06c0b590 a3=0 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmware-guestd" exe="/usr/lib/vmware-tools/sbin64/vmware-guestd" subj=system_u:system_r:vmware_host_t:s0 key=(null)
[root at localhost t]# cat /var/log/audit/audit.log| audit2allow
 
 
#============= vmware_host_t ==============
allow vmware_host_t t_getpw_t:dir { search getattr };
allow vmware_host_t t_getpw_t:file read;
allow vmware_host_t xdm_xserver_t:process ptrace;
 
=========== ROLES ===============
role unconfined_r types t_getpw_exec_t;
[root at localhost t]#



[root at localhost t]# cat t_getpwnam.c
#include <stdlib.h>
#include <pwd.h>
#include <sys/types.h>
#include <stdio.h>
 
int main( int argc, char** argv )
{
    struct passwd *p;
    char*  user = NULL;
 
sleep(9);
 
    if( argc != 2 )
    {
        printf("must have username as argument\n");
        exit(1);
    }
 
    user = argv[1];
 
    printf("Calling getpwnam for user: %s\n", user);
 
    setpwent();
    p = getpwnam( user );
    if( p == NULL )
    {
        printf("User not found (or error).\n");
    }else{
        printf("USER:%s  UID:%d pwd:%s\n", p->pw_name, p->pw_uid, p->pw_passwd );
    }
    endpwent();
 
    printf("DONE.\n");
    return( 0 );
}
[root at localhost t]#




-----Original Message-----
From: Stephen Smalley [mailto:sds at tycho.nsa.gov] 
Sent: Thursday, July 02, 2009 4:53 AM
To: Brian Ginn
Cc: 'fedora-selinux-list at redhat.com'
Subject: Re: getpwnam and SELinux

On Wed, 2009-07-01 at 16:15 -0700, Brian Ginn wrote:
> I have an app that I'm trying to confine.
> 
>  
> 
> In enforcing mode, getpwnam() returns "X" for the pw_passwd field.
> 
>  
> 
> Is there SELinux policy to allow this app to get the shadow passwd?
> 
> I've tried the following without success:
> 
> auth_can_read_shadow_passwords(  )
> 
> auth_read_shadow(  )
> 
> auth_tunable_read_shadow(  )
> 
> auth_use_nsswitch(  )

Can you show us the actual denial?  Run semodule -DB first if you don't
get any denials, and then run semodule -B afterward.  Also, post
your .te file.

-- 
Stephen Smalley
National Security Agency





More information about the fedora-selinux-list mailing list