getpwnam and SELinux

Brian Ginn BGinn at symark.com
Tue Jul 7 19:04:31 UTC 2009 

Thanks for the suggestion.  My program still doesn't work yet, but I notice that /var/log/messages has:

Jul  6 12:43:55 localhost kernel: security:  context unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 is invalid

What would make this invlaid?


Thanks,
Brian




-----Original Message-----
From: Stephen Smalley [mailto:sds at tycho.nsa.gov] 
Sent: Tuesday, July 07, 2009 4:57 AM
To: Brian Ginn
Cc: 'fedora-selinux-list at redhat.com'; Joshua Brindle
Subject: RE: getpwnam and SELinux

On Mon, 2009-07-06 at 18:23 -0700, Brian Ginn wrote:
> Thanks for the response!
> 
> My RHEL 5.3 box doesn't have the -D option for semodule , so I moved to Fedora 9.
> I still don't see a relevant AVC message.
> 
> My policy, a sample run, and a test program are shown below. 
> I get the same results running it unconfined as root.
> Note the role statement identified below still shows up with audit2allow, even though it is in the policy

Hmmm...bug in the policy compiler, maybe?

I don't see unconfined_r in a require block in your policy module.  Try
adding:
	role unconfined_r;
to the first gen_require() block.

> Thanks,
> Brian
> 
> 
> [root at localhost t]# cat t_getpw.te
> policy_module(t_getpw,1.0.0)
>  
> type t_getpw_t;
> type t_getpw_exec_t;
>  
> gen_require(`
>     type unconfined_t;
> ')
> domain_auto_trans(unconfined_t, t_getpw_exec_t, t_getpw_t )
>  
> auth_can_read_shadow_passwords( t_getpw_t );
> auth_read_shadow( t_getpw_t );
> auth_tunable_read_shadow( t_getpw_t );
> auth_use_nsswitch( t_getpw_t );
> auth_domtrans_chk_passwd(t_getpw_t)
>  
> gen_require(`
>     type ld_so_cache_t;
>     type ld_so_t;
>     type lib_t;
>     type root_t;
>     type sshd_t;
>     type unconfined_devpts_t;
> ')
>  
> #============= t_getpw_t ==============
> allow t_getpw_t ld_so_cache_t:file { read getattr };
> allow t_getpw_t ld_so_t:file read;
> allow t_getpw_t lib_t:dir search;
> allow t_getpw_t lib_t:file { read getattr execute };
> allow t_getpw_t lib_t:lnk_file read;
> allow t_getpw_t root_t:dir search;
> allow t_getpw_t sshd_t:fd use;
> allow t_getpw_t t_getpw_exec_t:file entrypoint;
> allow t_getpw_t unconfined_devpts_t:chr_file { read write getattr };
> allow t_getpw_t unconfined_t:fd use;
> allow t_getpw_t unconfined_t:process sigchld;
>  
> #============= unconfined_t ==============
> allow unconfined_t t_getpw_t:dir { getattr search };
> allow unconfined_t t_getpw_t:file read;
> allow unconfined_t t_getpw_t:process { siginh getattr rlimitinh noatsecure };
> 
> #curiously, this role statement still shows up with audit2allow:
> role unconfined_r types t_getpw_exec_t;
>  
> #=========== pam_t and vmware_host_t are probably not related
> #=========== but always show up in audit.log
>  
> gen_require(`
>     type pam_t;
>     type initrc_var_run_t;
>     type vmware_host_t;
>     type xdm_xserver_t;
> ')
> #============= pam_t ==============
> allow pam_t initrc_var_run_t:file write;
>  
> #============= vmware_host_t ==============
> allow vmware_host_t t_getpw_t:dir { search getattr };
> allow vmware_host_t t_getpw_t:file read;
> allow vmware_host_t xdm_xserver_t:process ptrace;
>  
> 
> [root at localhost t]# cat t_getpw.fc
>  
> /usr/local/bin/t_getpwnam       --      gen_context(system_u:object_r:t_getpw_exec_t,s0)
>  
> [root at localhost t]#
> 
> 
> 
> 
> Loading Policy
> + /usr/sbin/semodule -i t_getpw.pp
> + '[' 0 -ne 0 ']'
> + /sbin/restorecon -F -R -v /usr/local/bin/t_getpwnam
> /sbin/restorecon reset /usr/local/bin/t_getpwnam context unconfined_u:object_r:bin_t:s0->system_u:object_r:t_getpw_exec_t:s0
> + setenforce 1
> + setenforce 0
> + semodule -DB
> [root at localhost t]# /usr/local/bin/t_getpwnam bginn
> Calling getpwnam for user: bginn
> USER:bginn  UID:500 pwd:x
> DONE.
> [root at localhost t]# cat /var/log/audit/audit.log
> type=AVC msg=audit(1246903716.331:18364): avc:  denied  { ptrace } for  pid=1665 comm="vmware-guestd" scontext=system_u:system_r:vmware_host_t:s0 tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=process
> type=SYSCALL msg=audit(1246903716.331:18364): arch=c000003e syscall=89 per=400000 success=yes exit=19 a0=7fff06c1c7b0 a1=7fff06c1b7a0 a2=1000 a3=0 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmware-guestd" exe="/usr/lib/vmware-tools/sbin64/vmware-guestd" subj=system_u:system_r:vmware_host_t:s0 key=(null)
> type=SELINUX_ERR msg=audit(1246903718.119:18365): security_compute_sid:  invalid context unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:t_getpw_exec_t:s0 tclass=process
> type=SYSCALL msg=audit(1246903718.119:18365): arch=c000003e syscall=59 success=yes exit=0 a0=bfcbd0 a1=c06760 a2=c06cb0 a3=8 items=0 ppid=16180 pid=16315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=6 comm="t_getpwnam" exe="/usr/local/bin/t_getpwnam" subj=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1246903726.351:18366): avc:  denied  { search } for  pid=1665 comm="vmware-guestd" name="16315" dev=proc ino=83606 scontext=system_u:system_r:vmware_host_t:s0 tcontext=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 tclass=dir
> type=AVC msg=audit(1246903726.351:18366): avc:  denied  { read } for  pid=1665 comm="vmware-guestd" name="cmdline" dev=proc ino=83608 scontext=system_u:system_r:vmware_host_t:s0 tcontext=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 tclass=file
> type=SYSCALL msg=audit(1246903726.351:18366): arch=c000003e syscall=2 per=400000 success=yes exit=12 a0=7fff06c0b190 a1=0 a2=13 a3=8101010101010100 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmware-guestd" exe="/usr/lib/vmware-tools/sbin64/vmware-guestd" subj=system_u:system_r:vmware_host_t:s0 key=(null)
> type=AVC msg=audit(1246903726.352:18367): avc:  denied  { getattr } for  pid=1665 comm="vmware-guestd" path="/proc/16315" dev=proc ino=83606 scontext=system_u:system_r:vmware_host_t:s0 tcontext=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 tclass=dir 
> type=SYSCALL msg=audit(1246903726.352:18367): arch=c000003e syscall=4 per=400000 success=yes exit=0 a0=7fff06c0b190 a1=7fff06c0b590 a2=7fff06c0b590 a3=0 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmware-guestd" exe="/usr/lib/vmware-tools/sbin64/vmware-guestd" subj=system_u:system_r:vmware_host_t:s0 key=(null)
> [root at localhost t]# cat /var/log/audit/audit.log| audit2allow
>  
> 
> #============= vmware_host_t ==============
> allow vmware_host_t t_getpw_t:dir { search getattr };
> allow vmware_host_t t_getpw_t:file read;
> allow vmware_host_t xdm_xserver_t:process ptrace;
>  
> =========== ROLES ===============
> role unconfined_r types t_getpw_exec_t;
> [root at localhost t]#
> 
> 
> 
> [root at localhost t]# cat t_getpwnam.c
> #include <stdlib.h>
> #include <pwd.h>
> #include <sys/types.h>
> #include <stdio.h>
>  
> int main( int argc, char** argv )
> {
>     struct passwd *p;
>     char*  user = NULL;
>  
> sleep(9);
>  
>     if( argc != 2 )
>     {
>         printf("must have username as argument\n");
>         exit(1);
>     }
>  
>     user = argv[1];
>  
>     printf("Calling getpwnam for user: %s\n", user);
>  
>     setpwent();
>     p = getpwnam( user );
>     if( p == NULL )
>     {
>         printf("User not found (or error).\n");
>     }else{
>         printf("USER:%s  UID:%d pwd:%s\n", p->pw_name, p->pw_uid, p->pw_passwd );
>     }
>     endpwent();
>  
>     printf("DONE.\n");
>     return( 0 );
> }
> [root at localhost t]#
> 
> 
> 
> 
> -----Original Message-----
> From: Stephen Smalley [mailto:sds at tycho.nsa.gov] 
> Sent: Thursday, July 02, 2009 4:53 AM
> To: Brian Ginn
> Cc: 'fedora-selinux-list at redhat.com'
> Subject: Re: getpwnam and SELinux
> 
> On Wed, 2009-07-01 at 16:15 -0700, Brian Ginn wrote:
> > I have an app that I'm trying to confine.
> > 
> >  
> > 
> > In enforcing mode, getpwnam() returns "X" for the pw_passwd field.
> > 
> >  
> > 
> > Is there SELinux policy to allow this app to get the shadow passwd?
> > 
> > I've tried the following without success:
> > 
> > auth_can_read_shadow_passwords(  )
> > 
> > auth_read_shadow(  )
> > 
> > auth_tunable_read_shadow(  )
> > 
> > auth_use_nsswitch(  )
> 
> Can you show us the actual denial?  Run semodule -DB first if you don't
> get any denials, and then run semodule -B afterward.  Also, post
> your .te file.
> 
-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list