1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
From b8b80a2a07c451a1c9dfc166efcd7985f7a0a966 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Fri, 8 Dec 2023 14:16:26 +0800
Subject: [PATCH] policy/modules/system/authlogin: fix login errors after
enabling systemd DynamicUser
Allow domains using PAM to read /etc/shadow to fix login errors after
enabling systemd DynamicUser.
Fixes:
avc: denied { read } for pid=434 comm="login" name="shadow"
dev="sda2" ino=26314
scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
avc: denied { open } for pid=434 comm="login" path="/etc/shadow"
dev="sda2" ino=26314
scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
avc: denied { getattr } for pid=434 comm="login" path="/etc/shadow"
dev="sda2" ino=26314
scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023
tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
avc: denied { read } for pid=457 comm="sshd" name="shadow" dev="sda2"
ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
avc: denied { open } for pid=457 comm="sshd" path="/etc/shadow"
dev="sda2" ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
avc: denied { getattr } for pid=457 comm="sshd" path="/etc/shadow"
dev="sda2" ino=26314 scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023
tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
policy/modules/admin/su.if | 4 ++--
policy/modules/system/authlogin.te | 2 +-
policy/modules/system/selinuxutil.te | 2 ++
3 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index dce1a0ea9..c55cdfc09 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -76,7 +76,7 @@ template(`su_restricted_domain_template', `
selinux_compute_access_vector($1_su_t)
auth_domtrans_chk_passwd($1_su_t)
- auth_dontaudit_read_shadow($1_su_t)
+ auth_read_shadow($1_su_t)
auth_use_nsswitch($1_su_t)
auth_create_faillog_files($1_su_t)
auth_rw_faillog($1_su_t)
@@ -183,7 +183,7 @@ template(`su_role_template',`
selinux_use_status_page($1_su_t)
auth_domtrans_chk_passwd($1_su_t)
- auth_dontaudit_read_shadow($1_su_t)
+ auth_read_shadow($1_su_t)
auth_use_nsswitch($1_su_t)
auth_create_faillog_files($1_su_t)
auth_rw_faillog($1_su_t)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 3a5d1ac3e..f9d50a8d4 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -10,7 +10,7 @@ policy_module(authlogin)
## Allow PAM usage. If disabled, read access /etc/shadow is allowed for domains that normally use PAM.
## </p>
## </desc>
-gen_tunable(authlogin_pam, true)
+gen_tunable(authlogin_pam, false)
## <desc>
## <p>
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index f9b735081..6ec5e2cd4 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -246,6 +246,7 @@ allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_re
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
+kernel_getattr_proc(newrole_t)
kernel_read_system_state(newrole_t)
kernel_read_kernel_sysctls(newrole_t)
@@ -288,6 +289,7 @@ auth_use_nsswitch(newrole_t)
auth_run_chk_passwd(newrole_t, newrole_roles)
auth_run_upd_passwd(newrole_t, newrole_roles)
auth_rw_faillog(newrole_t)
+auth_read_shadow(newrole_t)
# Write to utmp.
init_rw_utmp(newrole_t)
--
2.25.1
|