FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 10-17-2011, 08:55 PM
"David A. Cafaro"
 
Default Allowing not sysadm_t access to change root password

Hello All,

I've been beating my head into a wall on this issue and was hoping
someone else might have a clue.

I have a new domain call it "mytool_t" that needs to be able to change
the roots password. Problem is I just can't seem to find the right
rules/macros for the job.

The source context will be root:system_r:mytoolt_t

It will be running the passwd command and transitioning to
root:system_rasswd_t. That is if I can get it past the only root user
is allowed to change root's password. Here's the command line error:

passwd: root:system_r:mytool_t:s0-s0:c0.c1023 is not authorized to
change the password of root.

UID, gid, groups, etc in the DAC side of things are 0.

Permissive mode reports no selinux errors and the password change works
(I'm assuming that passwd is detecting permissive mode).

But enforcing stops it cold.

Here's some example of the relevant policy I've used to try and get this
to work:

# For access to passwd program
type_transition mytool_t passwd_exec_trocess passwd_t;
domain_auto_trans(mytool_t,passwd_exec_t,passwd_t) ;
usermanage_run_admin_passwd(mytool_t,system_r)
allow mytool_t passwd_exec_t:file { read getattr open execute };


Any thanks is appreciated.
David
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 10-17-2011, 09:03 PM
Stephen Smalley
 
Default Allowing not sysadm_t access to change root password

On Mon, 2011-10-17 at 16:55 -0400, David A. Cafaro wrote:
> Hello All,
>
> I've been beating my head into a wall on this issue and was hoping
> someone else might have a clue.
>
> I have a new domain call it "mytool_t" that needs to be able to change
> the roots password. Problem is I just can't seem to find the right
> rules/macros for the job.
>
> The source context will be root:system_r:mytoolt_t
>
> It will be running the passwd command and transitioning to
> root:system_rasswd_t. That is if I can get it past the only root user
> is allowed to change root's password. Here's the command line error:
>
> passwd: root:system_r:mytool_t:s0-s0:c0.c1023 is not authorized to
> change the password of root.
>
> UID, gid, groups, etc in the DAC side of things are 0.
>
> Permissive mode reports no selinux errors and the password change works
> (I'm assuming that passwd is detecting permissive mode).
>
> But enforcing stops it cold.
>
> Here's some example of the relevant policy I've used to try and get this
> to work:
>
> # For access to passwd program
> type_transition mytool_t passwd_exec_trocess passwd_t;
> domain_auto_trans(mytool_t,passwd_exec_t,passwd_t) ;
> usermanage_run_admin_passwd(mytool_t,system_r)
> allow mytool_t passwd_exec_t:file { read getattr open execute };

You want:
allow mytool_t selfasswd passwd;

passwd applies SELinux permission checks of its own.

Lack of AVC messages on such denials has been noted previously, but not
fixed:
https://bugzilla.redhat.com/show_bug.cgi?id=518268

--
Stephen Smalley
National Security Agency

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 10-17-2011, 09:16 PM
Robin Lee Powell
 
Default Allowing not sysadm_t access to change root password

On Mon, Oct 17, 2011 at 04:55:50PM -0400, David A. Cafaro wrote:
>
> Permissive mode reports no selinux errors and the password change
> works (I'm assuming that passwd is detecting permissive mode).

Make sure you have "semanage dontaudit off".

Also look for things besides AVCs; if you're grepping the audit log,
include SELINUX in what you check for.

-Robin

--
http://singinst.org/ : Our last, best hope for a fantastic future.
Lojban (http://www.lojban.org/): The language in which "this parrot
is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
is "na nei". My personal page: http://www.digitalkingdom.org/rlp/
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 10-18-2011, 12:23 AM
"David A. Cafaro"
 
Default Allowing not sysadm_t access to change root password

On Oct 17, 2011, at 5:03 PM, Stephen Smalley wrote:
> On Mon, 2011-10-17 at 16:55 -0400, David A. Cafaro wrote:
>
> You want:
> allow mytool_t selfasswd passwd;

AHHH!! Thanks, not sure I would have found that. Google and grep of the source tree were failing me.

>
> passwd applies SELinux permission checks of its own.

I had actually started looking at passwd and how they did an avc compute to check for correct context/perms, I was just having a miserable time trying to figure out "what" it was looking for. Thanks.

>
> Lack of AVC messages on such denials has been noted previously, but not
> fixed:
> https://bugzilla.redhat.com/show_bug.cgi?id=518268
>
> --
> Stephen Smalley
> National Security Agency
>

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 10-18-2011, 12:26 AM
"David A. Cafaro"
 
Default Allowing not sysadm_t access to change root password

On Oct 17, 2011, at 5:16 PM, Robin Lee Powell wrote:
> On Mon, Oct 17, 2011 at 04:55:50PM -0400, David A. Cafaro wrote:
>>
>> Permissive mode reports no selinux errors and the password change
>> works (I'm assuming that passwd is detecting permissive mode).
>
> Make sure you have "semanage dontaudit off".

Yeah, was trying semanage -DB, but I didn't catch the passwd perms in it, may have gotten lost in the storm.

>
> Also look for things besides AVCs; if you're grepping the audit log,
> include SELINUX in what you check for.

Thanks, I usually give both a check for "AVC" and "invalid" to try and find items. I'll also give audit2allow/why a chance to gather up what's been going on as well.

Cheers,
David


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 04:18 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org