From 26e9ec7c43279d759d38df1a2d336ad6fd748129 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Fri, 9 Apr 2021 09:00:55 -0400
Subject: [PATCH] authlogin: add new type for pwd.lock and others

This is in response to systemd needing to write to .pwd.lock in support
of dynamic users, which is currently labeled shadow_t despite systemd
seemingly not making any actual modifications to /etc/passwd or
/etc/shadow. Instead of granting potentially overly permissive access,
this commit assigns a new type to these lock files.

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/system/authlogin.fc |  6 +++---
 policy/modules/system/authlogin.if | 20 ++++++++++++++++++++
 policy/modules/system/authlogin.te |  3 +++
 3 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index 7fd315706..95482bfcf 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -1,7 +1,7 @@
-/etc/\.pwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
-/etc/group\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
+/etc/\.pwd\.lock	--	gen_context(system_u:object_r:shadow_lock_t,s0)
+/etc/group\.lock	--	gen_context(system_u:object_r:shadow_lock_t,s0)
+/etc/passwd\.lock	--	gen_context(system_u:object_r:shadow_lock_t,s0)
 /etc/gshadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
-/etc/passwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
 /etc/shadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
 
 /usr/bin/login		--	gen_context(system_u:object_r:login_exec_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 973195bd3..ce3ffc44a 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -679,6 +679,7 @@ interface(`auth_rw_shadow',`
 	')
 
 	files_list_etc($1)
+	auth_rw_shadow_lock($1)
 	allow $1 shadow_t:file rw_file_perms;
 	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
 ')
@@ -700,6 +701,7 @@ interface(`auth_manage_shadow',`
 		type shadow_t;
 	')
 
+	auth_rw_shadow_lock($1)
 	allow $1 shadow_t:file manage_file_perms;
 	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
 ')
@@ -771,6 +773,24 @@ interface(`auth_relabel_shadow',`
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
 
+########################################
+## <summary>
+##	Read/Write shadow lock files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_rw_shadow_lock',`
+	gen_require(`
+		type shadow_lock_t;
+	')
+
+	rw_files_pattern($1, shadow_lock_t, shadow_lock_t)
+')
+
 #######################################
 ## <summary>
 ##	Append to the login failure log.
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 31f5503ec..2a3a29401 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -65,6 +65,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
 neverallow ~can_write_shadow_passwords shadow_t:file { create write };
 neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
 
+type shadow_lock_t;
+files_lock_file(shadow_lock_t)
+
 type updpwd_t;
 type updpwd_exec_t;
 domain_type(updpwd_t)