From 7d4aa7427cf8f95715e36c2b26a9c812810d2fb2 Mon Sep 17 00:00:00 2001 From: Antonio Enrico Russo Date: Sun, 18 May 2025 10:12:26 -0600 Subject: [PATCH 1/2] Tighten auth_rw_shadow_lock permission There are no directories labeled shadow_lock_t, and therefore is no reason to grant dir:search on shadow_lock_t. Signed-off-by: Antonio Enrico Russo --- policy/modules/system/authlogin.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 7ab456621d..0ca2ed56fb 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -862,7 +862,7 @@ interface(`auth_rw_shadow_lock',` type shadow_lock_t; ') - rw_files_pattern($1, shadow_lock_t, shadow_lock_t) + allow $1 shadow_lock_t:file rw_file_perms; ') ######################################## From 5ad8ee0fc055ef52d4e4913c31e6ebbd40cbea3c Mon Sep 17 00:00:00 2001 From: Antonio Enrico Russo Date: Sun, 18 May 2025 10:49:32 -0600 Subject: [PATCH 2/2] Rework shadow transitions and access shadow access is tightly controlled, with separate types for the shadow files and the locks. This patch distinguishes the two by enumerating the backup filenames and lock file names in their associated file transition rules. Prior to this, the overbroad file transition rules would cause various shadow-manipulating tools to create lock files with the incorrect shadow_t label. Signed-off-by: Antonio Enrico Russo --- policy/modules/admin/usermanage.te | 8 ++++---- policy/modules/services/nis.te | 2 +- policy/modules/system/authlogin.if | 26 ++++++++++++++++++++++++++ policy/modules/system/authlogin.te | 1 + policy/modules/system/systemd.te | 2 +- 5 files changed, 33 insertions(+), 6 deletions(-) diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 7436292dfb..8fc9028f5d 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -246,7 +246,7 @@ auth_use_nsswitch(groupadd_t) # domtrans_chk_passwd() call. auth_manage_shadow(groupadd_t) auth_relabel_shadow(groupadd_t) -auth_etc_filetrans_shadow(groupadd_t) +auth_filetrans_shadow(groupadd_t) seutil_read_config(groupadd_t) seutil_read_file_contexts(groupadd_t) @@ -346,7 +346,7 @@ auth_run_chk_passwd(passwd_t, passwd_roles) auth_run_upd_passwd(passwd_t, passwd_roles) auth_manage_shadow(passwd_t) auth_relabel_shadow(passwd_t) -auth_etc_filetrans_shadow(passwd_t) +auth_filetrans_shadow(passwd_t) auth_use_nsswitch(passwd_t) # allow checking if a shell is executable @@ -435,7 +435,7 @@ term_use_all_ptys(sysadm_passwd_t) auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) -auth_etc_filetrans_shadow(sysadm_passwd_t) +auth_filetrans_shadow(sysadm_passwd_t) auth_use_nsswitch(sysadm_passwd_t) # allow vipw to exec the editor @@ -531,7 +531,7 @@ auth_use_nsswitch(useradd_t) # domtrans_chk_passwd() call. auth_manage_shadow(useradd_t) auth_relabel_shadow(useradd_t) -auth_etc_filetrans_shadow(useradd_t) +auth_filetrans_shadow(useradd_t) init_use_fds(useradd_t) init_rw_utmp(useradd_t) diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te index 7f920012f0..99a52bbdd6 100644 --- a/policy/modules/services/nis.te +++ b/policy/modules/services/nis.te @@ -199,7 +199,7 @@ selinux_get_fs_mount(yppasswdd_t) auth_manage_shadow(yppasswdd_t) auth_relabel_shadow(yppasswdd_t) -auth_etc_filetrans_shadow(yppasswdd_t) +auth_filetrans_shadow(yppasswdd_t) logging_send_syslog_msg(yppasswdd_t) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 0ca2ed56fb..12a5456ea9 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -847,6 +847,23 @@ interface(`auth_relabel_shadow',` typeattribute $1 can_relabelto_shadow_passwords; ') +######################################## +## +## File transitions for shadow files. +## +## +## +## Domain with file transition. +## +## +# +interface(`auth_filetrans_shadow',` + auth_etc_filetrans_shadow($1, "shadow") + auth_etc_filetrans_shadow($1, "gshadow") + auth_etc_filetrans_shadow($1, "shadow-") + auth_etc_filetrans_shadow($1, "gshadow-") +') + ######################################## ## ## Read/Write shadow lock files. @@ -860,9 +877,18 @@ interface(`auth_relabel_shadow',` interface(`auth_rw_shadow_lock',` gen_require(` type shadow_lock_t; + type shadow_t; ') allow $1 shadow_lock_t:file rw_file_perms; + ifelse(`$2',`',` + files_etc_filetrans($1, shadow_lock_t, file, ".pwd.lock") + files_etc_filetrans($1, shadow_lock_t, file, "passwd.lock") + files_etc_filetrans($1, shadow_lock_t, file, "group.lock") + ',` + refpolicywarn(`$0($*) second parameter is deprecated.') + files_etc_filetrans($1, shadow_t, file, $2) + ') ') ######################################## diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 7587fd4b50..89fb0d421b 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -412,6 +412,7 @@ term_dontaudit_use_console(updpwd_t) term_dontaudit_use_unallocated_ttys(updpwd_t) auth_manage_shadow(updpwd_t) +auth_filetrans_shadow(updpwd_t) auth_use_nsswitch(updpwd_t) logging_send_syslog_msg(updpwd_t) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 97bf01216c..7015d9af99 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -2077,7 +2077,7 @@ kernel_read_kernel_sysctls(systemd_sysusers_t) selinux_use_status_page(systemd_sysusers_t) auth_manage_shadow(systemd_sysusers_t) -auth_etc_filetrans_shadow(systemd_sysusers_t) +auth_filetrans_shadow(systemd_sysusers_t) auth_use_nsswitch(systemd_sysusers_t) seutil_libselinux_linked(systemd_sysusers_t)