How should I allow salsauthd access to shadow?
Daniel J Walsh
dwalsh at redhat.com
Fri Jan 4 14:49:12 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/03/2013 06:17 PM, Charles Bradshaw wrote:
> Hi Danial, Thanks for the quick reply.
>
> Using SELinux Administration under Boolean reveals: Active Module
> Description sasl Allow sasl to read shadow I check Active for the above,
> restart saslauthd, but NO change: # testsalsauthd -u foo -p foospw 0: NO
> "authentication failed"
>
> Your sugestioh: # sesearch -A -C | grep saslauthd_read ET allow saslauthd_t
> shadow_t : file { ioctl read getattr lock open } ; [
> allow_saslauthd_read_shadow ] ET allow saslauthd_t etc_t : dir { ioctl read
> getattr lock search open } ; [ allow_saslauthd_read_shadow ]
>
> My problem is essentially that I don't understand SELinux Administration
> GUI or the output from sesearch!
>
> Why is the boolean not called allow_saslauthd_read_shadow in the GUI? Where
> is the doc for the meaning of output from sesearch?
>
Man page. sesearch is reading the policy and showing you what is allowed -C
means conditionally. The E Means it is enabled.
This means that the policy now allows
allow saslauthd_t shadow_t:file { read getattr open };
I don't tend to use the GUI...
So you don't need this in your policy module.
rpm -q selinux-policy
> On the other hand installing: module saslpol 1.1;
>
> require { type saslauthd_t, shadow_t; class capability { sys_nice
> dac_read_search dac_override }; class process setsched; class file { read
> getattr open }; }
>
> #============= saslauthd_t ============== allow saslauthd_t self:capability
> { sys_nice dac_override dac_read_search }; allow saslauthd_t self:process
> setsched; allow saslauthd_t shadow_t:file { read getattr open };
>
> WORKS ( with the aforementioned sasl boolean unchecked).
>
> BUT is this SAFE? and is it the minimum necessary access permissions?
>
> I've added the last line in saslpol.te from examining audit.log and a
> second run of audit2allow recommendation! I got NO alerts in, either mode,
> using the version having no last line! Even after SELinux Administration
> GUI, 'Enabled Audit' for additional audit rules, that are normaly not
> reported in the log files.
>
> Charles Bradshaw
>
> ################################### On: Thu, 03 Jan 2013 10:59:16 -0500
> Daniel J Walsh wrote:
>
>> snippet: Have you tried the saslauthd_read_shadow boolean?
> -- selinux mailing list selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Judging whether or not something is safe is up to you. I would prefer that
saslauthd used helper apps or the pam stack for reading /etc/shadow, but it
does not, so if you choose to run saslauthd in the state that needs to read
/etc/shadow, you neeed to five salsauthd this access.
The rules that you have given would allow a hacked saslauthd the ability to
read /etc/shadow, ignore dac controls and change its priority. Ignoring DAC
controls is not a huge problem, since SELinux would still control what it is
allowed to read and write. Reading /etc/shadow, would potentially allow it to
upload the /etc/shadow file somewhere or easily run a cracker on the password
entries, which is why we try to prevent as many programs as possible from
reading /etc/shadow.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlDm6+gACgkQrlYvE4MpobPMlgCfYGHWxS6k2CMPBONIAEtEXq5p
+nAAoM1Zxyljr1FpTsN+TeeCzWl4l5DV
=+ynG
-----END PGP SIGNATURE-----
More information about the selinux
mailing list