search

archlinuxhardened / selinux

PKGBUILDs to build SELinux enabled packages for Arch Linux
146 stars 25 forks source link

reading and relabeling shadow_t #29

Closed twoertwein closed 4 years ago

twoertwein commented 4 years ago

audit2allow generated the following output:

#============= systemd_logind_t ==============
allow systemd_logind_t shadow_t:file read;

#============= systemd_tmpfiles_t ==============

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule: 
#   constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#   Possible cause is the source user (system_u) and target user (user_u) are different.
allow systemd_tmpfiles_t etc_t:file relabelfrom;
allow systemd_tmpfiles_t shadow_t:file relabelto;

Two of these rules are not compatible with the refpolicy-arch (read and relabelto):

$ semodule -i local_patch.pp
neverallow check failed at /var/lib/selinux/refpolicy-arch/tmp/modules/400/authlogin/cil:209
  (neverallow authlogin_typeattr_3 shadow_t (file (relabelto)))
    <root>
    allow at /var/lib/selinux/refpolicy-arch/tmp/modules/400/local_patch/cil:390
      (allow systemd_tmpfiles_t shadow_t (file (relabelto)))

neverallow check failed at /var/lib/selinux/refpolicy-arch/tmp/modules/400/authlogin/cil:207
  (neverallow authlogin_typeattr_1 shadow_t (file (read)))
    <root>
    allow at /var/lib/selinux/refpolicy-arch/tmp/modules/400/local_patch/cil:388
      (allow systemd_logind_t shadow_t (file (read)))

Failed to generate binary
semodule:  Failed!
fishilico commented 4 years ago

Hello, it seems that you consider audit2allow to be some kind of magic tool that is used to automatically accept SELinux denials when they happen. This is not how this works: it can help writing policy files, but sometimes the issues that occur are caused by missing context transition, or missing attributes associated with types...

A better way of improving the policy consists in searching in the interfaces defined in .if files of the policy about how to allow the needed accesses. For example, in order to allow reading shadow_t files, an interface named auth_tunable_read_shadow exists (https://github.com/SELinuxProject/refpolicy/blob/RELEASE_2_20200229/policy/modules/system/authlogin.if#L629) and its names seems strange. This is because the "real" interface which should be used is auth_read_shadow (https://github.com/SELinuxProject/refpolicy/blob/RELEASE_2_20200229/policy/modules/system/authlogin.if#L573):

interface(`auth_read_shadow',`
    auth_can_read_shadow_passwords($1)
    auth_tunable_read_shadow($1)
')

The first statement is defined as:

interface(`auth_can_read_shadow_passwords',`
    gen_require(`
        attribute can_read_shadow_passwords;
    ')

    typeattribute $1 can_read_shadow_passwords;
')

... this associates a domain context with attribute can_read_shadow_passwords.

This attribute is used to define a neverallow rule in https://github.com/SELinuxProject/refpolicy/blob/RELEASE_2_20200229/policy/modules/system/authlogin.te#L64 :

neverallow ~can_read_shadow_passwords shadow_t:file read;

... which is the neverallow rule you are triggering by only using allow systemd_logind_t shadow_t:file read; instead of auth_read_shadow(systemd_logind_t): all that is missing is to add attribute can_read_shadow_passwords to type systemd_logind_t.

Now, are you certain that systemd-logind tried to read /etc/shadow and are you sure that there is not another process that gets mislabeled as systemd_logind_t which is trying to read some file that gets mislabeled as shadow_t? In order to answer this question, you need to read the raw AVC message in audit.log and not only the output of audit2allow. This way, you are sure that you are not introducing a misconfiguration in your policy.

Finally, if you found missing SELinux rules (which is perfectly normal, as the reference policy is not quite complete) and want to contribute to refpolicy-arch, the upstream repository is https://github.com/SELinuxProject/refpolicy/ (refpolicy-arch only differs by its default configuration, cf. https://github.com/archlinuxhardened/selinux-policy-arch/commits/2.20200229). Feel free to open an issue or submit a Pull Request there.

Thanks