From mboxrd@z Thu Jan  1 00:00:00 1970
From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Tue, 27 Mar 2012 21:24:47 +0200
Subject: [refpolicy] chsh (chfn_t) to access /etc/.pwd.lock (shadow_t) ?
Message-ID: <20120327192447.GA2101@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

In Gentoo, we notice that recent shadow package (version 4.1.5) has a change
in behavior for changing account information through chsh. Although the
application only edits /etc/passwd entries, it now uses the /etc/.pwd.lock
file to prevent concurrent changes to the /etc/passwd (and other
account-related files). 

In the current policy however, /etc/.pwd.lock is marked as shadow_t, so the
chsh application (running in chfn_t) does not have the proper privileges to
work on this. As a result, it fails to update /etc/passwd entries.

As I'm not going to give it read/write access to shadow_t files, one other
possibility would be to mark /etc/.pwd.lock as etc_t. But I can imagine that
it was given shadow_t on purpose previously, probably to prevent a malicious
program (that has write access to etc_t) to update the lock file so
concurrent write operations on /etc/shadow could result in corruption...

Another solution would be to patch chsh itself to use a different lock file,
but unless it's accepted upstream, it's only a "local" remedy.

A third solution would be to create and use a different type for it, like
etc_auth_lock_t or whatever imagination can bring to life, and update the
policies of all domains that need access to it towards it.

Any thoughts on this?

Wkr,
	Sven Vermeulen