[refpolicy] [Fwd: SSSD Local Auth and SELinux support]

[refpolicy] [Fwd: SSSD Local Auth and SELinux support]

[Matthew Ife]

This is an email I forwarded to the F15 selinux policy mailing list.

As suggested, I forward the email and the attached patch which attempts
to resolve what I discussed.

If you have any questions please let me know. This was a patch applied
to refpolicy.


-------------- next part --------------
An embedded message was scrubbed...
From: Matthew Ife <deleriux@airattack-central.com>
Subject: SSSD Local Auth and SELinux support
Date: Sun, 26 Jun 2011 14:33:55 +0100
Size: 8915
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20110705/983fe721/attachment.mht 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: shadow_to_auth_file.patch
Type: text/x-patch
Size: 16169 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110705/983fe721/attachment.bin 

[refpolicy] [Fwd: SSSD Local Auth and SELinux support]

[Christopher J. PeBenito]

On 07/05/11 16:17, Matthew Ife wrote:
> This is an email I forwarded to the F15 selinux policy mailing list.
> 
> As suggested, I forward the email and the attached patch which attempts
> to resolve what I discussed.
> 
> If you have any questions please let me know. This was a patch applied
> to refpolicy.

If we're looking to go down this road, then we have to consider other
sources of authentication, such as nis, kerberos, and samba/winbind.

This may cause problems with package managers trying to
install/initialize the database for the first time, which is a concern.

There are a few problems (see inline):

> diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
> index 6776b69..9f36e81 100644
> --- a/policy/modules/admin/dpkg.te
> +++ b/policy/modules/admin/dpkg.te
> @@ -140,8 +140,8 @@ storage_raw_write_fixed_disk(dpkg_t)
>  # for installing kernel packages
>  storage_raw_read_fixed_disk(dpkg_t)
>  
> -auth_relabel_all_files_except_shadow(dpkg_t)
> -auth_manage_all_files_except_shadow(dpkg_t)
> +auth_relabel_all_files_except_auth_files(dpkg_t)
> +auth_manage_all_files_except_auth_files(dpkg_t)
>  auth_dontaudit_read_shadow(dpkg_t)
>  
>  files_exec_etc_files(dpkg_t)
> @@ -286,7 +286,7 @@ term_use_all_terms(dpkg_script_t)
>  
>  auth_dontaudit_getattr_shadow(dpkg_script_t)
>  # ideally we would not need this
> -auth_manage_all_files_except_shadow(dpkg_script_t)
> +auth_manage_all_files_except_auth_files(dpkg_script_t)
>  
>  init_domtrans_script(dpkg_script_t)
>  init_use_script_fds(dpkg_script_t)
> diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
> index 9a2c2a1..0f27b1c 100644
> --- a/policy/modules/admin/portage.if
> +++ b/policy/modules/admin/portage.if
> @@ -170,9 +170,9 @@ interface(`portage_compile_domain',`
>  	# needed for merging dbus:
>  	selinux_compute_access_vector($1)
>  
> -	auth_read_all_dirs_except_shadow($1)
> -	auth_read_all_files_except_shadow($1)
> -	auth_read_all_symlinks_except_shadow($1)
> +	auth_read_all_dirs_except_auth_files($1)
> +	auth_read_all_files_except_auth_files($1)
> +	auth_read_all_symlinks_except_auth_files($1)
>  
>  	libs_exec_lib_files($1)
>  	# some config scripts use ldd
> diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
> index 47a8f7d..489d499 100644
> --- a/policy/modules/admin/rpm.te
> +++ b/policy/modules/admin/rpm.te
> @@ -154,8 +154,8 @@ storage_raw_read_fixed_disk(rpm_t)
>  
>  term_list_ptys(rpm_t)
>  
> -auth_relabel_all_files_except_shadow(rpm_t)
> -auth_manage_all_files_except_shadow(rpm_t)
> +auth_relabel_all_files_except_auth_files(rpm_t)
> +auth_manage_all_files_except_auth_files(rpm_t)
>  auth_dontaudit_read_shadow(rpm_t)
>  auth_use_nsswitch(rpm_t)
>  
> @@ -304,7 +304,7 @@ term_use_all_terms(rpm_script_t)
>  auth_dontaudit_getattr_shadow(rpm_script_t)
>  auth_use_nsswitch(rpm_script_t)
>  # ideally we would not need this
> -auth_manage_all_files_except_shadow(rpm_script_t)
> +auth_manage_all_files_except_auth_files(rpm_script_t)
>  auth_relabel_shadow(rpm_script_t)
>  
>  corecmd_exec_all_executables(rpm_script_t)
> diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te
> index fe1c377..775e5b1 100644
> --- a/policy/modules/admin/sosreport.te
> +++ b/policy/modules/admin/sosreport.te
> @@ -80,7 +80,7 @@ fs_list_inotifyfs(sosreport_t)
>  
>  # some config files do not have configfile attribute
>  # sosreport needs to read various files on system
> -auth_read_all_files_except_shadow(sosreport_t)
> +auth_read_all_files_except_auth_files(sosreport_t)
>  auth_use_nsswitch(sosreport_t)
>  
>  init_domtrans_script(sosreport_t)
> diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
> index d5aaf0e..c1eefd5 100644
> --- a/policy/modules/admin/sxid.te
> +++ b/policy/modules/admin/sxid.te
> @@ -66,7 +66,7 @@ fs_list_all(sxid_t)
>  
>  term_dontaudit_use_console(sxid_t)
>  
> -auth_read_all_files_except_shadow(sxid_t)
> +auth_read_all_files_except_auth_files(sxid_t)
>  auth_dontaudit_getattr_shadow(sxid_t)
>  
>  init_use_fds(sxid_t)
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index ff006ea..e1cd45f 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -49,6 +49,7 @@
>  ##		<li>init_script_file()</li>
>  ##		<li>init_script_domain()</li>
>  ##		<li>init_system_domain()</li>
> +##              <li>files_auth_file()</li>

Please use tabs.

>  ##		<li>files_config_files()</li>
>  ##		<li>files_lock_file()</li>
>  ##		<li>files_mountpoint()</li>
> @@ -215,6 +216,33 @@ interface(`files_pid_file',`
>  
>  ########################################
>  ## <summary>
> +##      Make the specified type a
> +##      authentication file.
> +## </summary>
> +## <desc>
> +##      <p>
> +##      Make the specified type an authentication file.
> +##      This will also make the type usable for security files, making
> +##      calls to files_security_file() redundant.
> +##      </p>
> +## </desc>

I don't agree with this assessment.  Security files are a superset of
authentication files.  In fact, I think the interface should likely call
files_security_file().  Additionally, this interface is in the wrong
module, it should be in the authlogin module, otherwise those interfaces
would be breaking encapsulation.

> +## <param name="auth_file">
> +##      <summary>
> +##      Type to be used as a authentication file.
> +##      </summary>
> +## </param>
> +## <infoflow type="none"/>
> +#
> +interface(`files_auth_file',`
> +        gen_require(`
> +                attribute auth_file_type;
> +        ')
> +        files_security_file($1)
> +        typeattribute $1 auth_file_type;
> +')
> +
> +########################################
> +## <summary>
>  ##	Make the specified type a
>  ##	configuration file.
>  ## </summary>
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index d91c62f..e709b9f 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -334,9 +334,9 @@ optional_policy(`
>  		fs_read_noxattr_fs_files(kernel_t)
>  		fs_read_noxattr_fs_symlinks(kernel_t)
>  
> -		auth_read_all_dirs_except_shadow(kernel_t)
> -		auth_read_all_files_except_shadow(kernel_t)
> -		auth_read_all_symlinks_except_shadow(kernel_t)
> +		auth_read_all_dirs_except_auth_files(kernel_t)
> +		auth_read_all_files_except_auth_files(kernel_t)
> +		auth_read_all_symlinks_except_auth_files(kernel_t)
>  	')
>  
>  	tunable_policy(`nfs_export_all_rw',`
> @@ -345,7 +345,7 @@ optional_policy(`
>  		fs_read_noxattr_fs_files(kernel_t)
>  		fs_read_noxattr_fs_symlinks(kernel_t)
>  
> -		auth_manage_all_files_except_shadow(kernel_t)
> +		auth_manage_all_files_except_auth_files(kernel_t)
>  	')
>  ')
>  
> diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
> index be4de58..2de38b8 100644
> --- a/policy/modules/roles/secadm.te
> +++ b/policy/modules/roles/secadm.te
> @@ -30,7 +30,7 @@ mls_file_upgrade(secadm_t)
>  mls_file_downgrade(secadm_t)
>  
>  auth_role(secadm_r, secadm_t)
> -auth_relabel_all_files_except_shadow(secadm_t)
> +auth_relabel_all_files_except_auth_files(secadm_t)
>  auth_relabel_shadow(secadm_t)
>  
>  init_exec(secadm_t)
> diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
> index 8a74a83..d670c61 100644
> --- a/policy/modules/services/ftp.te
> +++ b/policy/modules/services/ftp.te
> @@ -261,7 +261,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
>  
>  tunable_policy(`allow_ftpd_full_access',`
>  	allow ftpd_t self:capability { dac_override dac_read_search };
> -	auth_manage_all_files_except_shadow(ftpd_t)
> +	auth_manage_all_files_except_auth_files(ftpd_t)
>  ')
>  
>  tunable_policy(`ftp_home_dir',`
> @@ -394,7 +394,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
>  tunable_policy(`sftpd_full_access',`
>  	allow sftpd_t self:capability { dac_override dac_read_search };
>  	fs_read_noxattr_fs_files(sftpd_t)
> -	auth_manage_all_files_except_shadow(sftpd_t)
> +	auth_manage_all_files_except_auth_files(sftpd_t)
>  ')
>  
>  tunable_policy(`use_samba_home_dirs',`
> diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
> index 64c5f95..1201731 100644
> --- a/policy/modules/services/puppet.te
> +++ b/policy/modules/services/puppet.te
> @@ -132,7 +132,7 @@ sysnet_dns_name_resolve(puppet_t)
>  sysnet_run_ifconfig(puppet_t, system_r)
>  
>  tunable_policy(`puppet_manage_all_files',`
> -	auth_manage_all_files_except_shadow(puppet_t)
> +	auth_manage_all_files_except_auth_files(puppet_t)
>  ')
>  
>  optional_policy(`
> diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
> index 00fa514..c013749 100644
> --- a/policy/modules/services/rgmanager.te
> +++ b/policy/modules/services/rgmanager.te
> @@ -92,7 +92,7 @@ term_getattr_pty_fs(rgmanager_t)
>  #term_use_ptmx(rgmanager_t)
>  
>  # needed by resources scripts
> -auth_read_all_files_except_shadow(rgmanager_t)
> +auth_read_all_files_except_auth_files(rgmanager_t)
>  auth_dontaudit_getattr_shadow(rgmanager_t)
>  auth_use_nsswitch(rgmanager_t)
>  
> diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
> index b1468ed..958dc49 100644
> --- a/policy/modules/services/rpc.te
> +++ b/policy/modules/services/rpc.te
> @@ -158,7 +158,7 @@ tunable_policy(`nfs_export_all_rw',`
>  	dev_getattr_all_chr_files(nfsd_t)
>  
>  	fs_read_noxattr_fs_files(nfsd_t)
> -	auth_manage_all_files_except_shadow(nfsd_t)
> +	auth_manage_all_files_except_auth_files(nfsd_t)
>  ')
>  
>  tunable_policy(`nfs_export_all_ro',`
> @@ -170,8 +170,8 @@ tunable_policy(`nfs_export_all_ro',`
>  
>  	fs_read_noxattr_fs_files(nfsd_t)
>  
> -	auth_read_all_dirs_except_shadow(nfsd_t)
> -	auth_read_all_files_except_shadow(nfsd_t)
> +	auth_read_all_dirs_except_auth_files(nfsd_t)
> +	auth_read_all_files_except_auth_files(nfsd_t)
>  ')
>  
>  ########################################
> diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
> index 39015ae..40463c8 100644
> --- a/policy/modules/services/rsync.te
> +++ b/policy/modules/services/rsync.te
> @@ -125,9 +125,9 @@ tunable_policy(`rsync_export_all_ro',`
>  	fs_read_noxattr_fs_files(rsync_t) 
>  	fs_read_nfs_files(rsync_t)
>  	fs_read_cifs_files(rsync_t)
> -	auth_read_all_dirs_except_shadow(rsync_t)
> -	auth_read_all_files_except_shadow(rsync_t)
> -	auth_read_all_symlinks_except_shadow(rsync_t)
> +	auth_read_all_dirs_except_auth_files(rsync_t)
> +	auth_read_all_files_except_auth_files(rsync_t)
> +	auth_read_all_symlinks_except_auth_files(rsync_t)
>  	auth_tunable_read_shadow(rsync_t)
>  ')
>  auth_can_read_shadow_passwords(rsync_t)
> diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
> index e30bb63..06cc480 100644
> --- a/policy/modules/services/samba.te
> +++ b/policy/modules/services/samba.te
> @@ -450,18 +450,18 @@ tunable_policy(`samba_create_home_dirs',`
>  
>  tunable_policy(`samba_export_all_ro',`
>  	fs_read_noxattr_fs_files(smbd_t) 
> -	auth_read_all_dirs_except_shadow(smbd_t)
> -	auth_read_all_files_except_shadow(smbd_t)
> +	auth_read_all_dirs_except_auth_files(smbd_t)
> +	auth_read_all_files_except_auth_files(smbd_t)
>  	fs_read_noxattr_fs_files(nmbd_t) 
> -	auth_read_all_dirs_except_shadow(nmbd_t)
> -	auth_read_all_files_except_shadow(nmbd_t)
> +	auth_read_all_dirs_except_auth_files(nmbd_t)
> +	auth_read_all_files_except_auth_files(nmbd_t)
>  ')
>  
>  tunable_policy(`samba_export_all_rw',`
>  	fs_read_noxattr_fs_files(smbd_t) 
> -	auth_manage_all_files_except_shadow(smbd_t)
> +	auth_manage_all_files_except_auth_files(smbd_t)
>  	fs_read_noxattr_fs_files(nmbd_t) 
> -	auth_manage_all_files_except_shadow(nmbd_t)
> +	auth_manage_all_files_except_auth_files(nmbd_t)
>  	userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
>  ')
>  
> diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
> index 3d8d1b3..dd82b1c 100644
> --- a/policy/modules/services/snmp.te
> +++ b/policy/modules/services/snmp.te
> @@ -99,7 +99,7 @@ storage_dontaudit_read_fixed_disk(snmpd_t)
>  storage_dontaudit_read_removable_device(snmpd_t)
>  
>  auth_use_nsswitch(snmpd_t)
> -auth_read_all_dirs_except_shadow(snmpd_t)
> +auth_read_all_dirs_except_auth_files(snmpd_t)
>  
>  init_read_utmp(snmpd_t)
>  init_dontaudit_write_utmp(snmpd_t)
> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> index 73554ec..7f224a2 100644
> --- a/policy/modules/system/authlogin.if
> +++ b/policy/modules/system/authlogin.if
> @@ -1169,12 +1169,12 @@ interface(`auth_delete_pam_console_data',`
>  ##	</summary>
>  ## </param>
>  #
> -interface(`auth_read_all_dirs_except_shadow',`
> +interface(`auth_read_all_dirs_except_auth_files',`
>  	gen_require(`
> -		type shadow_t;
> +		attribute auth_file_type;
>  	')
>  
> -	files_read_all_dirs_except($1, $2 -shadow_t)
> +	files_read_all_dirs_except($1, $2 -auth_file_type)
>  ')
>  
>  ########################################
> @@ -1195,12 +1195,12 @@ interface(`auth_read_all_dirs_except_shadow',`
>  ## </param>
>  ## <rolecap/>
>  #
> -interface(`auth_read_all_files_except_shadow',`
> +interface(`auth_read_all_files_except_auth_files',`
>  	gen_require(`
> -		type shadow_t;
> +		attribute auth_file_type;
>  	')
>  
> -	files_read_all_files_except($1, $2 -shadow_t)
> +	files_read_all_files_except($1, $2 -auth_file_type)
>  ')
>  
>  ########################################
> @@ -1220,12 +1220,12 @@ interface(`auth_read_all_files_except_shadow',`
>  ##	</summary>
>  ## </param>
>  #
> -interface(`auth_read_all_symlinks_except_shadow',`
> +interface(`auth_read_all_symlinks_except_auth_files',`
>  	gen_require(`
> -		type shadow_t;
> +		attribute auth_file_type;
>  	')
>  
> -	files_read_all_symlinks_except($1, $2 -shadow_t)
> +	files_read_all_symlinks_except($1, $2 -auth_file_type)
>  ')
>  
>  ########################################
> @@ -1246,7 +1246,7 @@ interface(`auth_read_all_symlinks_except_shadow',`
>  ## </param>
>  #
>  
> -interface(`auth_relabel_all_files_except_shadow',`
> +interface(`auth_relabel_all_files_except_auth_files',`
>  	gen_require(`
>  		type shadow_t;
>  	')
> @@ -1272,12 +1272,12 @@ interface(`auth_relabel_all_files_except_shadow',`
>  ## </param>
>  #
>  
> -interface(`auth_rw_all_files_except_shadow',`
> +interface(`auth_rw_all_files_except_auth_files',`
>  	gen_require(`
> -		type shadow_t;
> +		attribute auth_file_type;
>  	')
>  
> -	files_rw_all_files($1, $2 -shadow_t)
> +	files_rw_all_files($1, $2 -auth_file_type)
>  ')
>  
>  ########################################
> @@ -1298,12 +1298,12 @@ interface(`auth_rw_all_files_except_shadow',`
>  ## </param>
>  #
>  
> -interface(`auth_manage_all_files_except_shadow',`
> +interface(`auth_manage_all_files_except_auth_files,`
>  	gen_require(`
> -		type shadow_t;
> +		attribute auth_file_type;
>  	')
>  
> -	files_manage_all_files($1, $2 -shadow_t)
> +	files_manage_all_files($1, $2 -auth_file_type)
>  ')

None of these interface renames are permissible, as it breaks
compatibility.  You need to add new interfaces, and deprecateto the
"except_shadow" interfaces (see libs_use_lib_files() for an example).

>  ########################################
> diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
> index b7a5f00..00b9e8d 100644
> --- a/policy/modules/system/authlogin.te
> +++ b/policy/modules/system/authlogin.te
> @@ -1,10 +1,9 @@
> -policy_module(authlogin, 2.2.1)
> -

I don't know why you would be doing this.

>  ########################################
>  #
>  # Declarations
>  #
>  
> +attribute auth_file_type;
>  attribute can_read_shadow_passwords;
>  attribute can_write_shadow_passwords;
>  attribute can_relabelto_shadow_passwords;
> @@ -50,7 +49,7 @@ type pam_var_run_t;
>  files_pid_file(pam_var_run_t)
>  
>  type shadow_t;
> -files_security_file(shadow_t)
> +files_auth_file(shadow_t)
>  neverallow ~can_read_shadow_passwords shadow_t:file read;
>  neverallow ~can_write_shadow_passwords shadow_t:file { create write };
>  neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 15832c7..66aa503 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -142,8 +142,8 @@ ifdef(`distro_ubuntu',`
>  ')
>  
>  tunable_policy(`allow_mount_anyfile',`
> -	auth_read_all_dirs_except_shadow(mount_t)
> -	auth_read_all_files_except_shadow(mount_t)
> +	auth_read_all_dirs_except_auth_files(mount_t)
> +	auth_read_all_files_except_auth_files(mount_t)
>  	files_mounton_non_security(mount_t)
>  ')
>  
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index 7ed9819..bef1885 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -323,8 +323,8 @@ selinux_compute_create_context(restorecond_t)
>  selinux_compute_relabel_context(restorecond_t)
>  selinux_compute_user_contexts(restorecond_t)
>  
> -auth_relabel_all_files_except_shadow(restorecond_t )
> -auth_read_all_files_except_shadow(restorecond_t)
> +auth_relabel_all_files_except_auth_files(restorecond_t )
> +auth_read_all_files_except_auth_files(restorecond_t)
>  auth_use_nsswitch(restorecond_t)
>  
>  locallogin_dontaudit_use_fds(restorecond_t)
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 4b2878a..a64b4e0 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -1133,9 +1133,9 @@ template(`userdom_admin_user_template',`
>  
>  	auth_getattr_shadow($1_t)
>  	# Manage almost all files
> -	auth_manage_all_files_except_shadow($1_t)
> +	auth_manage_all_files_except_auth_files($1_t)
>  	# Relabel almost all files
> -	auth_relabel_all_files_except_shadow($1_t)
> +	auth_relabel_all_files_except_auth_files($1_t)
>  
>  	init_telinit($1_t)
>  
> @@ -1223,7 +1223,7 @@ template(`userdom_security_admin_template',`
>  	selinux_set_all_booleans($1)
>  	selinux_set_parameters($1)
>  
> -	auth_relabel_all_files_except_shadow($1)
> +	auth_relabel_all_files_except_auth_files($1)
>  	auth_relabel_shadow($1)
>  
>  	init_exec($1)



-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [Fwd: SSSD Local Auth and SELinux support]

[Matthew Ife]

On Wed, 2011-07-06 at 09:48 -0400, Christopher J. PeBenito wrote:
> On 07/05/11 16:17, Matthew Ife wrote:
> > This is an email I forwarded to the F15 selinux policy mailing list.
> > 
> > As suggested, I forward the email and the attached patch which attempts
> > to resolve what I discussed.
> > 
> > If you have any questions please let me know. This was a patch applied
> > to refpolicy.

> If we're looking to go down this road, then we have to consider other
> sources of authentication, such as nis, kerberos, and samba/winbind.
That has also crossed my mind as being a useful idea.

> This may cause problems with package managers trying to
> install/initialize the database for the first time, which is a concern.
> 
Potentially and that would need to be tested for. SSSD doesnt need it as
it generates the the files it needs upon startup. The worst case
scenario here is we give the types that need it the access needed for
package managers to do what they need to.
I do not think it would be a good idea to do all things we want to label
as auth files in one fell swoop, big services like winbind and kerberos
need testing for at least the majority of use-cases.

> There are a few problems (see inline):
...
...
> >  init_use_fds(sxid_t)
> > diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> > index ff006ea..e1cd45f 100644
> > --- a/policy/modules/kernel/files.if
> > +++ b/policy/modules/kernel/files.if
> > @@ -49,6 +49,7 @@
> >  ##		<li>init_script_file()</li>
> >  ##		<li>init_script_domain()</li>
> >  ##		<li>init_system_domain()</li>
> > +##              <li>files_auth_file()</li>
> 
> Please use tabs.
I'll correct that.

> >  ##		<li>files_config_files()</li>
> >  ##		<li>files_lock_file()</li>
> >  ##		<li>files_mountpoint()</li>
> > @@ -215,6 +216,33 @@ interface(`files_pid_file',`
> >  
> >  ########################################
> >  ## <summary>
> > +##      Make the specified type a
> > +##      authentication file.
> > +## </summary>
> > +## <desc>
> > +##      <p>
> > +##      Make the specified type an authentication file.
> > +##      This will also make the type usable for security files, making
> > +##      calls to files_security_file() redundant.
> > +##      </p>
> > +## </desc>
> 
> I don't agree with this assessment.  Security files are a superset of
> authentication files.  In fact, I think the interface should likely call
> files_security_file().  Additionally, this interface is in the wrong
> module, it should be in the authlogin module, otherwise those interfaces
> would be breaking encapsulation.

Not sure what you mean here. Perhaps I am getting the wrong idea of its
meaning. The interface does call files_security_file (thus the idea of
calling it yourself is redundant). Is this not what this is meant to
mean? Regarding the interface itself - I wasn't super certain whether or
not it went in there since files_security_file went in there. I can put
it in the authlogin interface though easily enough.


<the stuff in various interface files>
> None of these interface renames are permissible, as it breaks
> compatibility.  You need to add new interfaces, and deprecateto the
> "except_shadow" interfaces (see libs_use_lib_files() for an example).
I'll look into that.


> >  ########################################
> > diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
> > index b7a5f00..00b9e8d 100644
> > --- a/policy/modules/system/authlogin.te
> > +++ b/policy/modules/system/authlogin.te
> > @@ -1,10 +1,9 @@
> > -policy_module(authlogin, 2.2.1)
> > -
> I don't know why you would be doing this.
Nor do I, must have been a random keyboard burst. That shouldn't be
there.

[refpolicy] [Fwd: SSSD Local Auth and SELinux support] Version 2

[Matthew Ife]

Heres a new patch, this uses the suggestions you provided.

I created 2 patches.

1, the change to refpolicies handling of shadow files patch.
2, changing macros in existing modules to replace deprecated macros.

> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


Let me know if theres anything missing.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-auth_login_file_type-attribute.patch
Type: text/x-patch
Size: 8966 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110710/2ac83db3/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Alter-existing-macros-that-use-except_shadow-to-use-.patch
Type: text/x-patch
Size: 12743 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110710/2ac83db3/attachment-0001.bin 

[refpolicy] [Fwd: SSSD Local Auth and SELinux support] Version 2

[Christopher J. PeBenito]

On 7/10/2011 1:35 PM, Matthew Ife wrote:
> Heres a new patch, this uses the suggestions you provided.
>
> I created 2 patches.
>
> 1, the change to refpolicies handling of shadow files patch.
> 2, changing macros in existing modules to replace deprecated macros.
>
> Let me know if theres anything missing.

I would just change auth_login_file() to simply auth_file(), and change 
the corresponding access interfaces, eg. 
auth_read_all_files_except_auth_files().  Then it should be good to go.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [Fwd: SSSD Local Auth and SELinux support] Version 2

[Matthew Ife]

New patches, changes you suggested included.

Would just check for anything silly. But the patches work when
side-patched into f15 policy.

On Mon, 2011-07-11 at 08:22 -0400, Christopher J. PeBenito wrote:
> On 7/10/2011 1:35 PM, Matthew Ife wrote:
> > Heres a new patch, this uses the suggestions you provided.
> >
> > I created 2 patches.
> >
> > 1, the change to refpolicies handling of shadow files patch.
> > 2, changing macros in existing modules to replace deprecated macros.
> >
> > Let me know if theres anything missing.
> 
> I would just change auth_login_file() to simply auth_file(), and change 
> the corresponding access interfaces, eg. 
> auth_read_all_files_except_auth_files().  Then it should be good to go.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Create-a-new-attribute-for-auth_file-types.patch
Type: text/x-patch
Size: 8912 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110714/749e8114/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Replace-deprecated-_except_shadow-macro-calls-with-_.patch
Type: text/x-patch
Size: 13065 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110714/749e8114/attachment-0001.bin 

[refpolicy] [Fwd: SSSD Local Auth and SELinux support] Version 2

[Christopher J. PeBenito]

On 07/14/11 11:09, Matthew Ife wrote:
> New patches, changes you suggested included.
> 
> Would just check for anything silly. But the patches work when
> side-patched into f15 policy.
> 
> On Mon, 2011-07-11 at 08:22 -0400, Christopher J. PeBenito wrote:
>> On 7/10/2011 1:35 PM, Matthew Ife wrote:
>>> Heres a new patch, this uses the suggestions you provided.
>>>
>>> I created 2 patches.
>>>
>>> 1, the change to refpolicies handling of shadow files patch.
>>> 2, changing macros in existing modules to replace deprecated macros.
>>>
>>> Let me know if theres anything missing.
>>
>> I would just change auth_login_file() to simply auth_file(), and change 
>> the corresponding access interfaces, eg. 
>> auth_read_all_files_except_auth_files().  Then it should be good to go.

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com