diff options
author | Yi Zhao <yi.zhao@windriver.com> | 2023-12-08 16:43:33 +0800 |
---|---|---|
committer | Joe MacDonald <joe@deserted.net> | 2023-12-14 10:23:31 -0500 |
commit | 3fb33245400d87e99f45b1c5ccd8daec924291a3 (patch) | |
tree | dd652fb5d100cd82a55f57741f181b913327711a | |
parent | fd039518bde2bcb810b9bdd656901f49d84cde1f (diff) | |
download | meta-selinux-3fb33245400d87e99f45b1c5ccd8daec924291a3.tar.gz |
refpolicy: fix login errors after enabling systemd DynamicUser
After oe-ocre commit ba3a78c0[1], domains using PAM need to read
/etc/shadow.
[1] https://git.openembedded.org/openembedded-core/commit/?id=ba3a78c08cb0ce08afde049610d3172b9e3b0695
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0055-policy-modules-system-authlogin-fix-login-errors-aft.patch | 104 | ||||
-rw-r--r-- | recipes-security/refpolicy/refpolicy_common.inc | 1 |
2 files changed, 105 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-authlogin-fix-login-errors-aft.patch b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-authlogin-fix-login-errors-aft.patch new file mode 100644 index 0000000..8a5dde6 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-authlogin-fix-login-errors-aft.patch | |||
@@ -0,0 +1,104 @@ | |||
1 | From 2824a6c927bf6df4be997a138a27d159d533d08b Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Fri, 8 Dec 2023 14:16:26 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/authlogin: fix login errors after | ||
5 | enabling systemd DynamicUser | ||
6 | |||
7 | Allow domains using PAM to read /etc/shadow to fix login errors after | ||
8 | enabling systemd DynamicUser. | ||
9 | |||
10 | Fixes: | ||
11 | avc: denied { read } for pid=434 comm="login" name="shadow" | ||
12 | dev="sda2" ino=26314 | ||
13 | scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 | ||
14 | tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 | ||
15 | |||
16 | avc: denied { open } for pid=434 comm="login" path="/etc/shadow" | ||
17 | dev="sda2" ino=26314 | ||
18 | scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 | ||
19 | tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 | ||
20 | |||
21 | avc: denied { getattr } for pid=434 comm="login" path="/etc/shadow" | ||
22 | dev="sda2" ino=26314 | ||
23 | scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 | ||
24 | tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 | ||
25 | |||
26 | avc: denied { read } for pid=457 comm="sshd" name="shadow" dev="sda2" | ||
27 | ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 | ||
28 | tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 | ||
29 | |||
30 | avc: denied { open } for pid=457 comm="sshd" path="/etc/shadow" | ||
31 | dev="sda2" ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 | ||
32 | tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 | ||
33 | |||
34 | avc: denied { getattr } for pid=457 comm="sshd" path="/etc/shadow" | ||
35 | dev="sda2" ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 | ||
36 | tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1 | ||
37 | |||
38 | Upstream-Status: Inappropriate [embedded specific] | ||
39 | |||
40 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
41 | --- | ||
42 | policy/modules/admin/su.if | 4 ++-- | ||
43 | policy/modules/system/authlogin.te | 2 +- | ||
44 | policy/modules/system/selinuxutil.te | 2 ++ | ||
45 | 3 files changed, 5 insertions(+), 3 deletions(-) | ||
46 | |||
47 | diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if | ||
48 | index cd34cd9dd..b867f58b9 100644 | ||
49 | --- a/policy/modules/admin/su.if | ||
50 | +++ b/policy/modules/admin/su.if | ||
51 | @@ -75,7 +75,7 @@ template(`su_restricted_domain_template', ` | ||
52 | selinux_compute_access_vector($1_su_t) | ||
53 | |||
54 | auth_domtrans_chk_passwd($1_su_t) | ||
55 | - auth_dontaudit_read_shadow($1_su_t) | ||
56 | + auth_read_shadow($1_su_t) | ||
57 | auth_use_nsswitch($1_su_t) | ||
58 | auth_rw_faillog($1_su_t) | ||
59 | |||
60 | @@ -176,7 +176,7 @@ template(`su_role_template',` | ||
61 | selinux_use_status_page($1_su_t) | ||
62 | |||
63 | auth_domtrans_chk_passwd($1_su_t) | ||
64 | - auth_dontaudit_read_shadow($1_su_t) | ||
65 | + auth_read_shadow($1_su_t) | ||
66 | auth_use_nsswitch($1_su_t) | ||
67 | auth_rw_faillog($1_su_t) | ||
68 | |||
69 | diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te | ||
70 | index 3a5d1ac3e..f9d50a8d4 100644 | ||
71 | --- a/policy/modules/system/authlogin.te | ||
72 | +++ b/policy/modules/system/authlogin.te | ||
73 | @@ -10,7 +10,7 @@ policy_module(authlogin) | ||
74 | ## Allow PAM usage. If disabled, read access /etc/shadow is allowed for domains that normally use PAM. | ||
75 | ## </p> | ||
76 | ## </desc> | ||
77 | -gen_tunable(authlogin_pam, true) | ||
78 | +gen_tunable(authlogin_pam, false) | ||
79 | |||
80 | ## <desc> | ||
81 | ## <p> | ||
82 | diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te | ||
83 | index f9b735081..6ec5e2cd4 100644 | ||
84 | --- a/policy/modules/system/selinuxutil.te | ||
85 | +++ b/policy/modules/system/selinuxutil.te | ||
86 | @@ -246,6 +246,7 @@ allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_re | ||
87 | read_files_pattern(newrole_t, default_context_t, default_context_t) | ||
88 | read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) | ||
89 | |||
90 | +kernel_getattr_proc(newrole_t) | ||
91 | kernel_read_system_state(newrole_t) | ||
92 | kernel_read_kernel_sysctls(newrole_t) | ||
93 | |||
94 | @@ -288,6 +289,7 @@ auth_use_nsswitch(newrole_t) | ||
95 | auth_run_chk_passwd(newrole_t, newrole_roles) | ||
96 | auth_run_upd_passwd(newrole_t, newrole_roles) | ||
97 | auth_rw_faillog(newrole_t) | ||
98 | +auth_read_shadow(newrole_t) | ||
99 | |||
100 | # Write to utmp. | ||
101 | init_rw_utmp(newrole_t) | ||
102 | -- | ||
103 | 2.25.1 | ||
104 | |||
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index e9b0b1a..c6b964f 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc | |||
@@ -70,6 +70,7 @@ SRC_URI += " \ | |||
70 | file://0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \ | 70 | file://0052-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \ |
71 | file://0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \ | 71 | file://0053-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \ |
72 | file://0054-policy-modules-system-logging-make-syslogd_runtime_t.patch \ | 72 | file://0054-policy-modules-system-logging-make-syslogd_runtime_t.patch \ |
73 | file://0055-policy-modules-system-authlogin-fix-login-errors-aft.patch \ | ||
73 | " | 74 | " |
74 | 75 | ||
75 | S = "${WORKDIR}/refpolicy" | 76 | S = "${WORKDIR}/refpolicy" |