authlogin: add new type for pwd.lock and others

This is in response to systemd needing to write to .pwd.lock in support of dynamic users, which is currently labeled shadow_t despite systemd seemingly not making any actual modifications to /etc/passwd or /etc/shadow. Instead of granting potentially overly permissive access, this commit assigns a new type to these lock files. Signed-off-by: Kenton Groombridge <me@concord.sh>
2021-04-09 09:00:55 -04:00 · 2021-04-09 09:00:55 -04:00 · 26e9ec7c43
parent 8eff2c5998
commit 26e9ec7c43
3 changed files with 26 additions and 3 deletions
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@ -1,7 +1,7 @@
-/etc/\.pwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
-/etc/group\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
+/etc/\.pwd\.lock	--	gen_context(system_u:object_r:shadow_lock_t,s0)
+/etc/group\.lock	--	gen_context(system_u:object_r:shadow_lock_t,s0)
+/etc/passwd\.lock	--	gen_context(system_u:object_r:shadow_lock_t,s0)
 /etc/gshadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
-/etc/passwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
 /etc/shadow.*		--	gen_context(system_u:object_r:shadow_t,s0)

 /usr/bin/login		--	gen_context(system_u:object_r:login_exec_t,s0)
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@ -679,6 +679,7 @@ interface(`auth_rw_shadow',`
 	')

 	files_list_etc($1)
+	auth_rw_shadow_lock($1)
 	allow $1 shadow_t:file rw_file_perms;
 	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
 ')
@ -700,6 +701,7 @@ interface(`auth_manage_shadow',`
 		type shadow_t;
 	')

+	auth_rw_shadow_lock($1)
 	allow $1 shadow_t:file manage_file_perms;
 	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
 ')
@ -771,6 +773,24 @@ interface(`auth_relabel_shadow',`
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')

+########################################
+## <summary>
+##	Read/Write shadow lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_rw_shadow_lock',`
+	gen_require(`
+		type shadow_lock_t;
+	')
+
+	rw_files_pattern($1, shadow_lock_t, shadow_lock_t)
+')
+
 #######################################
 ## <summary>
 ##	Append to the login failure log.
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@ -65,6 +65,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
 neverallow ~can_write_shadow_passwords shadow_t:file { create write };
 neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;

+type shadow_lock_t;
+files_lock_file(shadow_lock_t)
+
 type updpwd_t;
 type updpwd_exec_t;
 domain_type(updpwd_t)