locallogin: fix the sulogin submodule (emergency shell!)

This patch fixes the policy for sulogin. It is very important
because without this patch, sulogin cannot work properly and
it should be considered that it is used as an emergency shell
when there are serious consistency errors in the system, so it
constitutes the only way to recover the system in such
circumstances.

Nowadays, sulogin never uses PAM (at least not the official one
from util-linux), so obsolete, confusing and buggy policy has
been removed.

Extensive testing carried out while creating this patch indicates
that there aren't other permissions needed to successfully run
sulogin.

This second version should apply cleanly to the latest git tree.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
This commit is contained in:
Guido Trentalancia 2017-04-26 00:50:02 +02:00 committed by Chris PeBenito
parent f93522e171
commit 02b4ee1f81
1 changed files with 13 additions and 9 deletions

View File

@ -215,7 +215,8 @@ optional_policy(`
# Sulogin local policy
#
allow sulogin_t self:capability dac_override;
allow sulogin_t self:capability { dac_override sys_admin sys_tty_config };
allow sulogin_t self:process setexec;
allow sulogin_t self:fd use;
allow sulogin_t self:fifo_file rw_fifo_file_perms;
allow sulogin_t self:unix_dgram_socket create_socket_perms;
@ -228,6 +229,9 @@ allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive };
kernel_read_system_state(sulogin_t)
kernel_read_crypto_sysctls(sulogin_t)
kernel_stream_connect(sulogin_t)
kernel_use_fds(sulogin_t)
# because file systems are not mounted:
kernel_dontaudit_search_unlabeled(sulogin_t)
@ -238,10 +242,13 @@ files_read_etc_files(sulogin_t)
auth_read_shadow(sulogin_t)
init_getpgid(sulogin_t)
init_getpgid_script(sulogin_t)
logging_send_syslog_msg(sulogin_t)
miscfiles_read_localization(sulogin_t)
seutil_read_config(sulogin_t)
seutil_read_default_contexts(sulogin_t)
@ -252,15 +259,12 @@ userdom_use_user_ptys(sulogin_t)
sysadm_shell_domtrans(sulogin_t)
# suse and debian do not use pam with sulogin...
ifdef(`distro_suse', `define(`sulogin_no_pam')')
ifdef(`distro_debian', `define(`sulogin_no_pam')')
term_use_console(sulogin_t)
term_use_unallocated_ttys(sulogin_t)
ifdef(`sulogin_no_pam', `
allow sulogin_t self:capability sys_tty_config;
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
# by default, sulogin does not use pam...
# sulogin_pam might need to be defined otherwise
ifdef(`sulogin_pam', `
selinux_get_fs_mount(sulogin_t)
selinux_validate_context(sulogin_t)
selinux_compute_access_vector(sulogin_t)