I have an app that I'm trying to confine.
In enforcing mode, getpwnam() returns "X" for the pw_passwd field.
Is there SELinux policy to allow this app to get the shadow passwd? I've tried the following without success:
auth_can_read_shadow_passwords( )
auth_read_shadow( )
auth_tunable_read_shadow( )
auth_use_nsswitch( )
Thanks, Brian
On Wed, 2009-07-01 at 16:15 -0700, Brian Ginn wrote:
I have an app that I'm trying to confine.
In enforcing mode, getpwnam() returns "X" for the pw_passwd field.
Is there SELinux policy to allow this app to get the shadow passwd?
I've tried the following without success:
auth_can_read_shadow_passwords( )
auth_read_shadow( )
auth_tunable_read_shadow( )
auth_use_nsswitch( )
Can you show us the actual denial? Run semodule -DB first if you don't get any denials, and then run semodule -B afterward. Also, post your .te file.
Thanks for the response!
My RHEL 5.3 box doesn't have the -D option for semodule , so I moved to Fedora 9. I still don't see a relevant AVC message.
My policy, a sample run, and a test program are shown below. I get the same results running it unconfined as root. Note the role statement identified below still shows up with audit2allow, even though it is in the policy
Thanks, Brian
[root@localhost t]# cat t_getpw.te policy_module(t_getpw,1.0.0)
type t_getpw_t; type t_getpw_exec_t;
gen_require(` type unconfined_t; ') domain_auto_trans(unconfined_t, t_getpw_exec_t, t_getpw_t )
auth_can_read_shadow_passwords( t_getpw_t ); auth_read_shadow( t_getpw_t ); auth_tunable_read_shadow( t_getpw_t ); auth_use_nsswitch( t_getpw_t ); auth_domtrans_chk_passwd(t_getpw_t)
gen_require(` type ld_so_cache_t; type ld_so_t; type lib_t; type root_t; type sshd_t; type unconfined_devpts_t; ')
#============= t_getpw_t ============== allow t_getpw_t ld_so_cache_t:file { read getattr }; allow t_getpw_t ld_so_t:file read; allow t_getpw_t lib_t:dir search; allow t_getpw_t lib_t:file { read getattr execute }; allow t_getpw_t lib_t:lnk_file read; allow t_getpw_t root_t:dir search; allow t_getpw_t sshd_t:fd use; allow t_getpw_t t_getpw_exec_t:file entrypoint; allow t_getpw_t unconfined_devpts_t:chr_file { read write getattr }; allow t_getpw_t unconfined_t:fd use; allow t_getpw_t unconfined_t:process sigchld;
#============= unconfined_t ============== allow unconfined_t t_getpw_t:dir { getattr search }; allow unconfined_t t_getpw_t:file read; allow unconfined_t t_getpw_t:process { siginh getattr rlimitinh noatsecure };
#curiously, this role statement still shows up with audit2allow: role unconfined_r types t_getpw_exec_t;
#=========== pam_t and vmware_host_t are probably not related #=========== but always show up in audit.log
gen_require(` type pam_t; type initrc_var_run_t; type vmware_host_t; type xdm_xserver_t; ') #============= pam_t ============== allow pam_t initrc_var_run_t:file write;
#============= vmware_host_t ============== allow vmware_host_t t_getpw_t:dir { search getattr }; allow vmware_host_t t_getpw_t:file read; allow vmware_host_t xdm_xserver_t:process ptrace;
[root@localhost t]# cat t_getpw.fc
/usr/local/bin/t_getpwnam -- gen_context(system_u:object_r:t_getpw_exec_t,s0)
[root@localhost t]#
Loading Policy + /usr/sbin/semodule -i t_getpw.pp + '[' 0 -ne 0 ']' + /sbin/restorecon -F -R -v /usr/local/bin/t_getpwnam /sbin/restorecon reset /usr/local/bin/t_getpwnam context unconfined_u:object_r:bin_t:s0->system_u:object_r:t_getpw_exec_t:s0 + setenforce 1 + setenforce 0 + semodule -DB [root@localhost t]# /usr/local/bin/t_getpwnam bginn Calling getpwnam for user: bginn USER:bginn UID:500 pwd:x DONE. [root@localhost t]# cat /var/log/audit/audit.log type=AVC msg=audit(1246903716.331:18364): avc: denied { ptrace } for pid=1665 comm="vmware-guestd" scontext=system_u:system_r:vmware_host_t:s0 tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1246903716.331:18364): arch=c000003e syscall=89 per=400000 success=yes exit=19 a0=7fff06c1c7b0 a1=7fff06c1b7a0 a2=1000 a3=0 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmware-guestd" exe="/usr/lib/vmware-tools/sbin64/vmware-guestd" subj=system_u:system_r:vmware_host_t:s0 key=(null) type=SELINUX_ERR msg=audit(1246903718.119:18365): security_compute_sid: invalid context unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:t_getpw_exec_t:s0 tclass=process type=SYSCALL msg=audit(1246903718.119:18365): arch=c000003e syscall=59 success=yes exit=0 a0=bfcbd0 a1=c06760 a2=c06cb0 a3=8 items=0 ppid=16180 pid=16315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=6 comm="t_getpwnam" exe="/usr/local/bin/t_getpwnam" subj=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1246903726.351:18366): avc: denied { search } for pid=1665 comm="vmware-guestd" name="16315" dev=proc ino=83606 scontext=system_u:system_r:vmware_host_t:s0 tcontext=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 tclass=dir type=AVC msg=audit(1246903726.351:18366): avc: denied { read } for pid=1665 comm="vmware-guestd" name="cmdline" dev=proc ino=83608 scontext=system_u:system_r:vmware_host_t:s0 tcontext=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 tclass=file type=SYSCALL msg=audit(1246903726.351:18366): arch=c000003e syscall=2 per=400000 success=yes exit=12 a0=7fff06c0b190 a1=0 a2=13 a3=8101010101010100 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmware-guestd" exe="/usr/lib/vmware-tools/sbin64/vmware-guestd" subj=system_u:system_r:vmware_host_t:s0 key=(null) type=AVC msg=audit(1246903726.352:18367): avc: denied { getattr } for pid=1665 comm="vmware-guestd" path="/proc/16315" dev=proc ino=83606 scontext=system_u:system_r:vmware_host_t:s0 tcontext=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 tclass=dir type=SYSCALL msg=audit(1246903726.352:18367): arch=c000003e syscall=4 per=400000 success=yes exit=0 a0=7fff06c0b190 a1=7fff06c0b590 a2=7fff06c0b590 a3=0 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmware-guestd" exe="/usr/lib/vmware-tools/sbin64/vmware-guestd" subj=system_u:system_r:vmware_host_t:s0 key=(null) [root@localhost t]# cat /var/log/audit/audit.log| audit2allow
#============= vmware_host_t ============== allow vmware_host_t t_getpw_t:dir { search getattr }; allow vmware_host_t t_getpw_t:file read; allow vmware_host_t xdm_xserver_t:process ptrace;
=========== ROLES =============== role unconfined_r types t_getpw_exec_t; [root@localhost t]#
[root@localhost t]# cat t_getpwnam.c #include <stdlib.h> #include <pwd.h> #include <sys/types.h> #include <stdio.h>
int main( int argc, char** argv ) { struct passwd *p; char* user = NULL;
sleep(9);
if( argc != 2 ) { printf("must have username as argument\n"); exit(1); }
user = argv[1];
printf("Calling getpwnam for user: %s\n", user);
setpwent(); p = getpwnam( user ); if( p == NULL ) { printf("User not found (or error).\n"); }else{ printf("USER:%s UID:%d pwd:%s\n", p->pw_name, p->pw_uid, p->pw_passwd ); } endpwent();
printf("DONE.\n"); return( 0 ); } [root@localhost t]#
-----Original Message----- From: Stephen Smalley [mailto:sds@tycho.nsa.gov] Sent: Thursday, July 02, 2009 4:53 AM To: Brian Ginn Cc: 'fedora-selinux-list@redhat.com' Subject: Re: getpwnam and SELinux
On Wed, 2009-07-01 at 16:15 -0700, Brian Ginn wrote:
I have an app that I'm trying to confine.
In enforcing mode, getpwnam() returns "X" for the pw_passwd field.
Is there SELinux policy to allow this app to get the shadow passwd?
I've tried the following without success:
auth_can_read_shadow_passwords( )
auth_read_shadow( )
auth_tunable_read_shadow( )
auth_use_nsswitch( )
Can you show us the actual denial? Run semodule -DB first if you don't get any denials, and then run semodule -B afterward. Also, post your .te file.
On Mon, 2009-07-06 at 18:23 -0700, Brian Ginn wrote:
Thanks for the response!
My RHEL 5.3 box doesn't have the -D option for semodule , so I moved to Fedora 9. I still don't see a relevant AVC message.
My policy, a sample run, and a test program are shown below. I get the same results running it unconfined as root. Note the role statement identified below still shows up with audit2allow, even though it is in the policy
Hmmm...bug in the policy compiler, maybe?
I don't see unconfined_r in a require block in your policy module. Try adding: role unconfined_r; to the first gen_require() block.
Thanks, Brian
[root@localhost t]# cat t_getpw.te policy_module(t_getpw,1.0.0)
type t_getpw_t; type t_getpw_exec_t;
gen_require(` type unconfined_t; ') domain_auto_trans(unconfined_t, t_getpw_exec_t, t_getpw_t )
auth_can_read_shadow_passwords( t_getpw_t ); auth_read_shadow( t_getpw_t ); auth_tunable_read_shadow( t_getpw_t ); auth_use_nsswitch( t_getpw_t ); auth_domtrans_chk_passwd(t_getpw_t)
gen_require(` type ld_so_cache_t; type ld_so_t; type lib_t; type root_t; type sshd_t; type unconfined_devpts_t; ')
#============= t_getpw_t ============== allow t_getpw_t ld_so_cache_t:file { read getattr }; allow t_getpw_t ld_so_t:file read; allow t_getpw_t lib_t:dir search; allow t_getpw_t lib_t:file { read getattr execute }; allow t_getpw_t lib_t:lnk_file read; allow t_getpw_t root_t:dir search; allow t_getpw_t sshd_t:fd use; allow t_getpw_t t_getpw_exec_t:file entrypoint; allow t_getpw_t unconfined_devpts_t:chr_file { read write getattr }; allow t_getpw_t unconfined_t:fd use; allow t_getpw_t unconfined_t:process sigchld;
#============= unconfined_t ============== allow unconfined_t t_getpw_t:dir { getattr search }; allow unconfined_t t_getpw_t:file read; allow unconfined_t t_getpw_t:process { siginh getattr rlimitinh noatsecure };
#curiously, this role statement still shows up with audit2allow: role unconfined_r types t_getpw_exec_t;
#=========== pam_t and vmware_host_t are probably not related #=========== but always show up in audit.log
gen_require(` type pam_t; type initrc_var_run_t; type vmware_host_t; type xdm_xserver_t; ') #============= pam_t ============== allow pam_t initrc_var_run_t:file write;
#============= vmware_host_t ============== allow vmware_host_t t_getpw_t:dir { search getattr }; allow vmware_host_t t_getpw_t:file read; allow vmware_host_t xdm_xserver_t:process ptrace;
[root@localhost t]# cat t_getpw.fc
/usr/local/bin/t_getpwnam -- gen_context(system_u:object_r:t_getpw_exec_t,s0)
[root@localhost t]#
Loading Policy
- /usr/sbin/semodule -i t_getpw.pp
- '[' 0 -ne 0 ']'
- /sbin/restorecon -F -R -v /usr/local/bin/t_getpwnam
/sbin/restorecon reset /usr/local/bin/t_getpwnam context unconfined_u:object_r:bin_t:s0->system_u:object_r:t_getpw_exec_t:s0
- setenforce 1
- setenforce 0
- semodule -DB
[root@localhost t]# /usr/local/bin/t_getpwnam bginn Calling getpwnam for user: bginn USER:bginn UID:500 pwd:x DONE. [root@localhost t]# cat /var/log/audit/audit.log type=AVC msg=audit(1246903716.331:18364): avc: denied { ptrace } for pid=1665 comm="vmware-guestd" scontext=system_u:system_r:vmware_host_t:s0 tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1246903716.331:18364): arch=c000003e syscall=89 per=400000 success=yes exit=19 a0=7fff06c1c7b0 a1=7fff06c1b7a0 a2=1000 a3=0 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmware-guestd" exe="/usr/lib/vmware-tools/sbin64/vmware-guestd" subj=system_u:system_r:vmware_host_t:s0 key=(null) type=SELINUX_ERR msg=audit(1246903718.119:18365): security_compute_sid: invalid context unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:t_getpw_exec_t:s0 tclass=process type=SYSCALL msg=audit(1246903718.119:18365): arch=c000003e syscall=59 success=yes exit=0 a0=bfcbd0 a1=c06760 a2=c06cb0 a3=8 items=0 ppid=16180 pid=16315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=6 comm="t_getpwnam" exe="/usr/local/bin/t_getpwnam" subj=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1246903726.351:18366): avc: denied { search } for pid=1665 comm="vmware-guestd" name="16315" dev=proc ino=83606 scontext=system_u:system_r:vmware_host_t:s0 tcontext=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 tclass=dir type=AVC msg=audit(1246903726.351:18366): avc: denied { read } for pid=1665 comm="vmware-guestd" name="cmdline" dev=proc ino=83608 scontext=system_u:system_r:vmware_host_t:s0 tcontext=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 tclass=file type=SYSCALL msg=audit(1246903726.351:18366): arch=c000003e syscall=2 per=400000 success=yes exit=12 a0=7fff06c0b190 a1=0 a2=13 a3=8101010101010100 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmware-guestd" exe="/usr/lib/vmware-tools/sbin64/vmware-guestd" subj=system_u:system_r:vmware_host_t:s0 key=(null) type=AVC msg=audit(1246903726.352:18367): avc: denied { getattr } for pid=1665 comm="vmware-guestd" path="/proc/16315" dev=proc ino=83606 scontext=system_u:system_r:vmware_host_t:s0 tcontext=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 tclass=dir type=SYSCALL msg=audit(1246903726.352:18367): arch=c000003e syscall=4 per=400000 success=yes exit=0 a0=7fff06c0b190 a1=7fff06c0b590 a2=7fff06c0b590 a3=0 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmware-guestd" exe="/usr/lib/vmware-tools/sbin64/vmware-guestd" subj=system_u:system_r:vmware_host_t:s0 key=(null) [root@localhost t]# cat /var/log/audit/audit.log| audit2allow
#============= vmware_host_t ============== allow vmware_host_t t_getpw_t:dir { search getattr }; allow vmware_host_t t_getpw_t:file read; allow vmware_host_t xdm_xserver_t:process ptrace;
=========== ROLES =============== role unconfined_r types t_getpw_exec_t; [root@localhost t]#
[root@localhost t]# cat t_getpwnam.c #include <stdlib.h> #include <pwd.h> #include <sys/types.h> #include <stdio.h>
int main( int argc, char** argv ) { struct passwd *p; char* user = NULL;
sleep(9);
if( argc != 2 ) { printf("must have username as argument\n"); exit(1); } user = argv[1]; printf("Calling getpwnam for user: %s\n", user); setpwent(); p = getpwnam( user ); if( p == NULL ) { printf("User not found (or error).\n"); }else{ printf("USER:%s UID:%d pwd:%s\n", p->pw_name, p->pw_uid, p->pw_passwd ); } endpwent(); printf("DONE.\n"); return( 0 );} [root@localhost t]#
-----Original Message----- From: Stephen Smalley [mailto:sds@tycho.nsa.gov] Sent: Thursday, July 02, 2009 4:53 AM To: Brian Ginn Cc: 'fedora-selinux-list@redhat.com' Subject: Re: getpwnam and SELinux
On Wed, 2009-07-01 at 16:15 -0700, Brian Ginn wrote:
I have an app that I'm trying to confine.
In enforcing mode, getpwnam() returns "X" for the pw_passwd field.
Is there SELinux policy to allow this app to get the shadow passwd?
I've tried the following without success:
auth_can_read_shadow_passwords( )
auth_read_shadow( )
auth_tunable_read_shadow( )
auth_use_nsswitch( )
Can you show us the actual denial? Run semodule -DB first if you don't get any denials, and then run semodule -B afterward. Also, post your .te file.
Thanks for the suggestion. My program still doesn't work yet, but I notice that /var/log/messages has:
Jul 6 12:43:55 localhost kernel: security: context unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 is invalid
What would make this invlaid?
Thanks, Brian
-----Original Message----- From: Stephen Smalley [mailto:sds@tycho.nsa.gov] Sent: Tuesday, July 07, 2009 4:57 AM To: Brian Ginn Cc: 'fedora-selinux-list@redhat.com'; Joshua Brindle Subject: RE: getpwnam and SELinux
On Mon, 2009-07-06 at 18:23 -0700, Brian Ginn wrote:
Thanks for the response!
My RHEL 5.3 box doesn't have the -D option for semodule , so I moved to Fedora 9. I still don't see a relevant AVC message.
My policy, a sample run, and a test program are shown below. I get the same results running it unconfined as root. Note the role statement identified below still shows up with audit2allow, even though it is in the policy
Hmmm...bug in the policy compiler, maybe?
I don't see unconfined_r in a require block in your policy module. Try adding: role unconfined_r; to the first gen_require() block.
Thanks, Brian
[root@localhost t]# cat t_getpw.te policy_module(t_getpw,1.0.0)
type t_getpw_t; type t_getpw_exec_t;
gen_require(` type unconfined_t; ') domain_auto_trans(unconfined_t, t_getpw_exec_t, t_getpw_t )
auth_can_read_shadow_passwords( t_getpw_t ); auth_read_shadow( t_getpw_t ); auth_tunable_read_shadow( t_getpw_t ); auth_use_nsswitch( t_getpw_t ); auth_domtrans_chk_passwd(t_getpw_t)
gen_require(` type ld_so_cache_t; type ld_so_t; type lib_t; type root_t; type sshd_t; type unconfined_devpts_t; ')
#============= t_getpw_t ============== allow t_getpw_t ld_so_cache_t:file { read getattr }; allow t_getpw_t ld_so_t:file read; allow t_getpw_t lib_t:dir search; allow t_getpw_t lib_t:file { read getattr execute }; allow t_getpw_t lib_t:lnk_file read; allow t_getpw_t root_t:dir search; allow t_getpw_t sshd_t:fd use; allow t_getpw_t t_getpw_exec_t:file entrypoint; allow t_getpw_t unconfined_devpts_t:chr_file { read write getattr }; allow t_getpw_t unconfined_t:fd use; allow t_getpw_t unconfined_t:process sigchld;
#============= unconfined_t ============== allow unconfined_t t_getpw_t:dir { getattr search }; allow unconfined_t t_getpw_t:file read; allow unconfined_t t_getpw_t:process { siginh getattr rlimitinh noatsecure };
#curiously, this role statement still shows up with audit2allow: role unconfined_r types t_getpw_exec_t;
#=========== pam_t and vmware_host_t are probably not related #=========== but always show up in audit.log
gen_require(` type pam_t; type initrc_var_run_t; type vmware_host_t; type xdm_xserver_t; ') #============= pam_t ============== allow pam_t initrc_var_run_t:file write;
#============= vmware_host_t ============== allow vmware_host_t t_getpw_t:dir { search getattr }; allow vmware_host_t t_getpw_t:file read; allow vmware_host_t xdm_xserver_t:process ptrace;
[root@localhost t]# cat t_getpw.fc
/usr/local/bin/t_getpwnam -- gen_context(system_u:object_r:t_getpw_exec_t,s0)
[root@localhost t]#
Loading Policy
- /usr/sbin/semodule -i t_getpw.pp
- '[' 0 -ne 0 ']'
- /sbin/restorecon -F -R -v /usr/local/bin/t_getpwnam
/sbin/restorecon reset /usr/local/bin/t_getpwnam context unconfined_u:object_r:bin_t:s0->system_u:object_r:t_getpw_exec_t:s0
- setenforce 1
- setenforce 0
- semodule -DB
[root@localhost t]# /usr/local/bin/t_getpwnam bginn Calling getpwnam for user: bginn USER:bginn UID:500 pwd:x DONE. [root@localhost t]# cat /var/log/audit/audit.log type=AVC msg=audit(1246903716.331:18364): avc: denied { ptrace } for pid=1665 comm="vmware-guestd" scontext=system_u:system_r:vmware_host_t:s0 tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1246903716.331:18364): arch=c000003e syscall=89 per=400000 success=yes exit=19 a0=7fff06c1c7b0 a1=7fff06c1b7a0 a2=1000 a3=0 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmware-guestd" exe="/usr/lib/vmware-tools/sbin64/vmware-guestd" subj=system_u:system_r:vmware_host_t:s0 key=(null) type=SELINUX_ERR msg=audit(1246903718.119:18365): security_compute_sid: invalid context unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:t_getpw_exec_t:s0 tclass=process type=SYSCALL msg=audit(1246903718.119:18365): arch=c000003e syscall=59 success=yes exit=0 a0=bfcbd0 a1=c06760 a2=c06cb0 a3=8 items=0 ppid=16180 pid=16315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=6 comm="t_getpwnam" exe="/usr/local/bin/t_getpwnam" subj=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1246903726.351:18366): avc: denied { search } for pid=1665 comm="vmware-guestd" name="16315" dev=proc ino=83606 scontext=system_u:system_r:vmware_host_t:s0 tcontext=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 tclass=dir type=AVC msg=audit(1246903726.351:18366): avc: denied { read } for pid=1665 comm="vmware-guestd" name="cmdline" dev=proc ino=83608 scontext=system_u:system_r:vmware_host_t:s0 tcontext=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 tclass=file type=SYSCALL msg=audit(1246903726.351:18366): arch=c000003e syscall=2 per=400000 success=yes exit=12 a0=7fff06c0b190 a1=0 a2=13 a3=8101010101010100 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmware-guestd" exe="/usr/lib/vmware-tools/sbin64/vmware-guestd" subj=system_u:system_r:vmware_host_t:s0 key=(null) type=AVC msg=audit(1246903726.352:18367): avc: denied { getattr } for pid=1665 comm="vmware-guestd" path="/proc/16315" dev=proc ino=83606 scontext=system_u:system_r:vmware_host_t:s0 tcontext=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 tclass=dir type=SYSCALL msg=audit(1246903726.352:18367): arch=c000003e syscall=4 per=400000 success=yes exit=0 a0=7fff06c0b190 a1=7fff06c0b590 a2=7fff06c0b590 a3=0 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmware-guestd" exe="/usr/lib/vmware-tools/sbin64/vmware-guestd" subj=system_u:system_r:vmware_host_t:s0 key=(null) [root@localhost t]# cat /var/log/audit/audit.log| audit2allow
#============= vmware_host_t ============== allow vmware_host_t t_getpw_t:dir { search getattr }; allow vmware_host_t t_getpw_t:file read; allow vmware_host_t xdm_xserver_t:process ptrace;
=========== ROLES =============== role unconfined_r types t_getpw_exec_t; [root@localhost t]#
[root@localhost t]# cat t_getpwnam.c #include <stdlib.h> #include <pwd.h> #include <sys/types.h> #include <stdio.h>
int main( int argc, char** argv ) { struct passwd *p; char* user = NULL;
sleep(9);
if( argc != 2 ) { printf("must have username as argument\n"); exit(1); } user = argv[1]; printf("Calling getpwnam for user: %s\n", user); setpwent(); p = getpwnam( user ); if( p == NULL ) { printf("User not found (or error).\n"); }else{ printf("USER:%s UID:%d pwd:%s\n", p->pw_name, p->pw_uid, p->pw_passwd ); } endpwent(); printf("DONE.\n"); return( 0 );} [root@localhost t]#
-----Original Message----- From: Stephen Smalley [mailto:sds@tycho.nsa.gov] Sent: Thursday, July 02, 2009 4:53 AM To: Brian Ginn Cc: 'fedora-selinux-list@redhat.com' Subject: Re: getpwnam and SELinux
On Wed, 2009-07-01 at 16:15 -0700, Brian Ginn wrote:
I have an app that I'm trying to confine.
In enforcing mode, getpwnam() returns "X" for the pw_passwd field.
Is there SELinux policy to allow this app to get the shadow passwd?
I've tried the following without success:
auth_can_read_shadow_passwords( )
auth_read_shadow( )
auth_tunable_read_shadow( )
auth_use_nsswitch( )
Can you show us the actual denial? Run semodule -DB first if you don't get any denials, and then run semodule -B afterward. Also, post your .te file.
On Tue, 2009-07-07 at 12:04 -0700, Brian Ginn wrote:
Thanks for the suggestion. My program still doesn't work yet, but I notice that /var/log/messages has:
Jul 6 12:43:55 localhost kernel: security: context unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 is invalid
What would make this invlaid?
user-role, role-type, or user-range association is not authorized by the policy.
Thanks again!
I got that last problem solved. My confined program now works on RHEL5.3.
Fedora 9, on the other hand, always returns x, even when not enforcing and not confined. That doesn't seem to be an SELinux issue.
-Brian
-----Original Message----- From: Stephen Smalley [mailto:sds@tycho.nsa.gov] Sent: Tuesday, July 07, 2009 12:24 PM To: Brian Ginn Cc: 'fedora-selinux-list@redhat.com'; Joshua Brindle Subject: RE: getpwnam and SELinux
On Tue, 2009-07-07 at 12:04 -0700, Brian Ginn wrote:
Thanks for the suggestion. My program still doesn't work yet, but I notice that /var/log/messages has:
Jul 6 12:43:55 localhost kernel: security: context unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 is invalid
What would make this invlaid?
user-role, role-type, or user-range association is not authorized by the policy.
selinux@lists.fedoraproject.org
-
Brian Ginn -
Stephen Smalley