From mboxrd@z Thu Jan  1 00:00:00 1970
From: dwalsh@redhat.com (Daniel J Walsh)
Date: Wed, 28 Mar 2012 13:15:58 -0400
Subject: [refpolicy] chsh (chfn_t) to access /etc/.pwd.lock (shadow_t) ?
In-Reply-To: <20120328165245.GA3116@siphos.be>
References: <20120327192447.GA2101@siphos.be> <4F7223A3.9090409@redhat.com>
	<20120328165245.GA3116@siphos.be>
Message-ID: <4F73474E.9010306@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/28/2012 12:52 PM, Sven Vermeulen wrote:
> On Tue, Mar 27, 2012 at 04:31:31PM -0400, Daniel J Walsh wrote:
>> Being able to write to etc_t is basically the same as being able to write to shadow_t, if /etc/passwd is labeled as etc_t.
> 
> How's that? The passwd file is labeled as etc_t, shadow is labeled as shadow_t. And apparently, .pwd.lock is labeled as shadow_t as well currently.
> 
> I'm pretty sure domains with write privileges to etc_t cannot write to shadow_t...
> 
> Wkr, Sven Vermeulen _______________________________________________ refpolicy mailing list refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
Because I can write a /etc/passwd file entry to allow me to login to root without a password,
and then just use a login program to login as root, probably running as a role of sysadmin_t
or uncnfined_t

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9zR0wACgkQrlYvE4MpobNJ3ACeJ+dum4qGuDDAmig5w21hJevf
UhUAoLQGl56J/jN1LAhP/SFlXzVssLIA
=Y7vB
-----END PGP SIGNATURE-----