Hello All,
I've been beating my head into a wall on this issue and was hoping someone else might have a clue.
I have a new domain call it "mytool_t" that needs to be able to change the roots password. Problem is I just can't seem to find the right rules/macros for the job.
The source context will be root:system_r:mytoolt_t
It will be running the passwd command and transitioning to root:system_r:passwd_t. That is if I can get it past the only root user is allowed to change root's password. Here's the command line error:
passwd: root:system_r:mytool_t:s0-s0:c0.c1023 is not authorized to change the password of root.
UID, gid, groups, etc in the DAC side of things are 0.
Permissive mode reports no selinux errors and the password change works (I'm assuming that passwd is detecting permissive mode).
But enforcing stops it cold.
Here's some example of the relevant policy I've used to try and get this to work:
# For access to passwd program type_transition mytool_t passwd_exec_t:process passwd_t; domain_auto_trans(mytool_t,passwd_exec_t,passwd_t); usermanage_run_admin_passwd(mytool_t,system_r) allow mytool_t passwd_exec_t:file { read getattr open execute };
Any thanks is appreciated. David
On Mon, 2011-10-17 at 16:55 -0400, David A. Cafaro wrote:
Hello All,
I've been beating my head into a wall on this issue and was hoping someone else might have a clue.
I have a new domain call it "mytool_t" that needs to be able to change the roots password. Problem is I just can't seem to find the right rules/macros for the job.
The source context will be root:system_r:mytoolt_t
It will be running the passwd command and transitioning to root:system_r:passwd_t. That is if I can get it past the only root user is allowed to change root's password. Here's the command line error:
passwd: root:system_r:mytool_t:s0-s0:c0.c1023 is not authorized to change the password of root.
UID, gid, groups, etc in the DAC side of things are 0.
Permissive mode reports no selinux errors and the password change works (I'm assuming that passwd is detecting permissive mode).
But enforcing stops it cold.
Here's some example of the relevant policy I've used to try and get this to work:
# For access to passwd program type_transition mytool_t passwd_exec_t:process passwd_t; domain_auto_trans(mytool_t,passwd_exec_t,passwd_t); usermanage_run_admin_passwd(mytool_t,system_r) allow mytool_t passwd_exec_t:file { read getattr open execute };
You want: allow mytool_t self:passwd passwd;
passwd applies SELinux permission checks of its own.
Lack of AVC messages on such denials has been noted previously, but not fixed: https://bugzilla.redhat.com/show_bug.cgi?id=518268
On Oct 17, 2011, at 5:03 PM, Stephen Smalley wrote:
On Mon, 2011-10-17 at 16:55 -0400, David A. Cafaro wrote:
You want: allow mytool_t self:passwd passwd;
AHHH!! Thanks, not sure I would have found that. Google and grep of the source tree were failing me.
passwd applies SELinux permission checks of its own.
I had actually started looking at passwd and how they did an avc compute to check for correct context/perms, I was just having a miserable time trying to figure out "what" it was looking for. Thanks.
Lack of AVC messages on such denials has been noted previously, but not fixed: https://bugzilla.redhat.com/show_bug.cgi?id=518268
-- Stephen Smalley National Security Agency
On Mon, Oct 17, 2011 at 04:55:50PM -0400, David A. Cafaro wrote:
Permissive mode reports no selinux errors and the password change works (I'm assuming that passwd is detecting permissive mode).
Make sure you have "semanage dontaudit off".
Also look for things besides AVCs; if you're grepping the audit log, include SELINUX in what you check for.
-Robin
On Oct 17, 2011, at 5:16 PM, Robin Lee Powell wrote:
On Mon, Oct 17, 2011 at 04:55:50PM -0400, David A. Cafaro wrote:
Permissive mode reports no selinux errors and the password change works (I'm assuming that passwd is detecting permissive mode).
Make sure you have "semanage dontaudit off".
Yeah, was trying semanage -DB, but I didn't catch the passwd perms in it, may have gotten lost in the storm.
Also look for things besides AVCs; if you're grepping the audit log, include SELINUX in what you check for.
Thanks, I usually give both a check for "AVC" and "invalid" to try and find items. I'll also give audit2allow/why a chance to gather up what's been going on as well.
Cheers, David
selinux@lists.fedoraproject.org
-
David Cafaro -
Robin Lee Powell -
Stephen Smalley