authlogin: add new type for pwd.lock and others
This is in response to systemd needing to write to .pwd.lock in support of dynamic users, which is currently labeled shadow_t despite systemd seemingly not making any actual modifications to /etc/passwd or /etc/shadow. Instead of granting potentially overly permissive access, this commit assigns a new type to these lock files. Signed-off-by: Kenton Groombridge <me@concord.sh>
This commit is contained in:
parent
8eff2c5998
commit
26e9ec7c43
@ -1,7 +1,7 @@
|
||||
/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
/etc/group\.lock -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
/etc/\.pwd\.lock -- gen_context(system_u:object_r:shadow_lock_t,s0)
|
||||
/etc/group\.lock -- gen_context(system_u:object_r:shadow_lock_t,s0)
|
||||
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_lock_t,s0)
|
||||
/etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
|
||||
/usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
|
||||
|
@ -679,6 +679,7 @@ interface(`auth_rw_shadow',`
|
||||
')
|
||||
|
||||
files_list_etc($1)
|
||||
auth_rw_shadow_lock($1)
|
||||
allow $1 shadow_t:file rw_file_perms;
|
||||
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
|
||||
')
|
||||
@ -700,6 +701,7 @@ interface(`auth_manage_shadow',`
|
||||
type shadow_t;
|
||||
')
|
||||
|
||||
auth_rw_shadow_lock($1)
|
||||
allow $1 shadow_t:file manage_file_perms;
|
||||
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
|
||||
')
|
||||
@ -771,6 +773,24 @@ interface(`auth_relabel_shadow',`
|
||||
typeattribute $1 can_relabelto_shadow_passwords;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read/Write shadow lock files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_rw_shadow_lock',`
|
||||
gen_require(`
|
||||
type shadow_lock_t;
|
||||
')
|
||||
|
||||
rw_files_pattern($1, shadow_lock_t, shadow_lock_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Append to the login failure log.
|
||||
|
@ -65,6 +65,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
|
||||
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
|
||||
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
|
||||
|
||||
type shadow_lock_t;
|
||||
files_lock_file(shadow_lock_t)
|
||||
|
||||
type updpwd_t;
|
||||
type updpwd_exec_t;
|
||||
domain_type(updpwd_t)
|
||||
|
Loading…
Reference in New Issue
Block a user