From 13a32a4616a37417815be678262caa404e465688 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <pebenito@ieee.org>
Date: Tue, 20 Apr 2021 10:22:46 -0400
Subject: [PATCH 1/3] authlogin: Add tunable for allowing shadow access on
 non-PAM systems.

Fixes #342

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
---
 policy/modules/system/authlogin.if | 32 +++++++----------------
 policy/modules/system/authlogin.te | 42 ++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+), 23 deletions(-)

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index ce3ffc44a..cc2d7bc90 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -41,42 +41,28 @@ interface(`auth_role',`
 ## </param>
 #
 interface(`auth_use_pam',`
+	gen_require(`
+		attribute can_read_shadow_passwords, nsswitch_domain, pam_domain;
+	')
 
-	# for SSP/ProPolice
-	dev_read_urand($1)
-	# for encrypted homedir
-	dev_read_sysfs($1)
+	typeattribute $1 can_read_shadow_passwords, nsswitch_domain, pam_domain;
+
+	#
+	# due to the nested typeattributes:
+	#
 
-	auth_create_faillog_files($1)
 	auth_domtrans_chk_passwd($1)
-	auth_domtrans_upd_passwd($1)
-	auth_dontaudit_read_shadow($1)
-	auth_rw_lastlog($1)
-	auth_rw_faillog($1)
-	auth_rw_login_records($1)
-	auth_setattr_faillog_files($1)
-	auth_exec_pam($1)
-	auth_use_nsswitch($1)
-
-	logging_send_audit_msgs($1)
-	logging_send_syslog_msg($1)
 
 	optional_policy(`
 		dbus_system_bus_client($1)
 
-		optional_policy(`
-			fprintd_dbus_chat($1)
-		')
+		fprintd_dbus_chat($1)
 	')
 
 	optional_policy(`
 		kerberos_manage_host_rcache($1)
 		kerberos_read_config($1)
 	')
-
-	optional_policy(`
-		nis_authenticate($1)
-	')
 ')
 
 ########################################
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 60e78387e..e5730d536 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,12 @@ policy_module(authlogin, 2.18.2)
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow PAM usage.  If disabled, /etc/shadow is provided on systems that do not support PAM.
+## </p>
+## </desc>
+gen_tunable(authlogin_pam, true)
 
 ## <desc>
 ## <p>
@@ -17,6 +23,7 @@ attribute can_read_shadow_passwords;
 attribute can_write_shadow_passwords;
 attribute can_relabelto_shadow_passwords;
 attribute nsswitch_domain;
+attribute pam_domain;
 
 type auth_cache_t;
 logging_log_file(auth_cache_t)
@@ -215,6 +222,41 @@ optional_policy(`
 	locallogin_use_fds(pam_t)
 ')
 
+########################################
+#
+# PAM users local policy
+#
+
+# other access in auth_use_pam() due to nested typeattributes
+
+# for SSP/ProPolice
+dev_read_urand(pam_domain)
+# for encrypted homedir
+dev_read_sysfs(pam_domain)
+
+auth_create_faillog_files(pam_domain)
+auth_domtrans_upd_passwd(pam_domain)
+auth_rw_lastlog(pam_domain)
+auth_rw_faillog(pam_domain)
+auth_rw_login_records(pam_domain)
+auth_setattr_faillog_files(pam_domain)
+auth_exec_pam(pam_domain)
+
+files_read_etc_files(pam_domain)
+
+logging_send_audit_msgs(pam_domain)
+logging_send_syslog_msg(pam_domain)
+
+tunable_policy(`authlogin_pam',`
+	dontaudit pam_domain shadow_t:file read_file_perms;
+',`
+	allow pam_domain shadow_t:file read_file_perms;
+')
+
+optional_policy(`
+	nis_authenticate(pam_domain)
+')
+
 ########################################
 #
 # PAM console local policy

From 3945473b5e80ca9572bb3dcb8286b22fa7e5587f Mon Sep 17 00:00:00 2001
From: Chris PeBenito <pebenito@ieee.org>
Date: Tue, 20 Apr 2021 10:34:09 -0400
Subject: [PATCH 2/3] authlogin: Remove redundant rule in
 auth_domtrans_chk_passwd().

This is provided by the auth_use_nsswitch() call.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
---
 policy/modules/system/authlogin.if | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index cc2d7bc90..d6a3d706f 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -405,10 +405,6 @@ interface(`auth_domtrans_chk_passwd',`
 		pcscd_read_runtime_files($1)
 		pcscd_stream_connect($1)
 	')
-
-	optional_policy(`
-		samba_stream_connect_winbind($1)
-	')
 ')
 
 ########################################

From 163c153c331bb2d3ab1b794d1d466724d057b3f1 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <pebenito@ieee.org>
Date: Tue, 20 Apr 2021 10:35:22 -0400
Subject: [PATCH 3/3] authlogin: Deprecate auth_domtrans_chk_passwd().

This is a duplicate interface.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
---
 policy/modules/services/hadoop.if  | 2 ++
 policy/modules/services/hadoop.te  | 2 --
 policy/modules/services/pwauth.te  | 3 ++-
 policy/modules/system/authlogin.if | 8 ++------
 policy/modules/system/authlogin.te | 2 +-
 5 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
index c00dd05f9..32713a77f 100644
--- a/policy/modules/services/hadoop.if
+++ b/policy/modules/services/hadoop.if
@@ -68,6 +68,8 @@ template(`hadoop_domain_template',`
 	filetrans_pattern(hadoop_$1_t, hadoop_hsperfdata_t, hadoop_$1_tmp_t, file)
 
 	auth_use_nsswitch(hadoop_$1_t)
+	auth_domtrans_chk_passwd(hadoop_$1_t)
+	auth_domtrans_upd_passwd(hadoop_$1_t)
 
 	####################################
 	#
diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
index 6d188933a..186e8b52c 100644
--- a/policy/modules/services/hadoop.te
+++ b/policy/modules/services/hadoop.te
@@ -216,8 +216,6 @@ dev_read_sysfs(hadoop_domain)
 files_search_runtime(hadoop_domain)
 files_search_var_lib(hadoop_domain)
 
-auth_domtrans_chkpwd(hadoop_domain)
-
 init_read_utmp(hadoop_domain)
 init_use_fds(hadoop_domain)
 init_use_script_fds(hadoop_domain)
diff --git a/policy/modules/services/pwauth.te b/policy/modules/services/pwauth.te
index e7a40019e..26cb28965 100644
--- a/policy/modules/services/pwauth.te
+++ b/policy/modules/services/pwauth.te
@@ -31,7 +31,8 @@ files_runtime_filetrans(pwauth_t, pwauth_runtime_t, file)
 
 domain_use_interactive_fds(pwauth_t)
 
-auth_domtrans_chkpwd(pwauth_t)
+auth_domtrans_chk_passwd(pwauth_t)
+auth_domtrans_upd_passwd(pwauth_t)
 auth_use_nsswitch(pwauth_t)
 
 init_read_utmp(pwauth_t)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index d6a3d706f..e0289265f 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -419,13 +419,9 @@ interface(`auth_domtrans_chk_passwd',`
 ## </param>
 #
 interface(`auth_domtrans_chkpwd',`
-	gen_require(`
-		type chkpwd_t, chkpwd_exec_t, shadow_t;
-	')
+	refpolicywarn(`$0($*) has been deprecated, please use auth_domtrans_chk_passwd($1); auth_domtrans_upd_passwd($1) instead.')
 
-	corecmd_search_bin($1)
-	domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
-	dontaudit $1 shadow_t:file { getattr read };
+	auth_domtrans_chk_passwd($1)
 	auth_domtrans_upd_passwd($1)
 ')
 
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index e5730d536..754c9e1c8 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -7,7 +7,7 @@ policy_module(authlogin, 2.18.2)
 
 ## <desc>
 ## <p>
-## Allow PAM usage.  If disabled, /etc/shadow is provided on systems that do not support PAM.
+## Allow PAM usage.  If disabled, read access /etc/shadow is allowed for domains that normally use PAM.
 ## </p>
 ## </desc>
 gen_tunable(authlogin_pam, true)