* AVC accesing shadow during gnome login
@ 2010-04-12 19:24 Alan Rouse
2010-04-13 1:23 ` Justin P. mattock
2010-04-13 12:46 ` Daniel J Walsh
0 siblings, 2 replies; 5+ messages in thread
From: Alan Rouse @ 2010-04-12 19:24 UTC (permalink / raw)
To: SE-Linux
[-- Attachment #1: Type: text/plain, Size: 920 bytes --]
I'm getting the following when I log in via the gnome login gui (OpenSUSE 11.2) with dontaudit turned off:
type=AVC msg=audit(1271099674.777:3): avc: denied { read } for pid=2475 comm="gdm-session-wor" name="shadow" dev=sda2 ino=129609 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1271099674.780:4): avc: denied { open } for pid=2475 comm="gdm-session-wor" name="shadow" dev=sda2 ino=129609 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1271099674.792:5): avc: denied { getattr } for pid=2475 comm="gdm-session-wor" path="/etc/shadow" dev=sda2 ino=129609 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
But I think the required access is prohibited via 'neverallow'. Suggestions welcome.
Thanks
[-- Attachment #2: Type: text/html, Size: 1577 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: AVC accesing shadow during gnome login
2010-04-12 19:24 AVC accesing shadow during gnome login Alan Rouse
@ 2010-04-13 1:23 ` Justin P. mattock
2010-04-13 12:46 ` Daniel J Walsh
1 sibling, 0 replies; 5+ messages in thread
From: Justin P. mattock @ 2010-04-13 1:23 UTC (permalink / raw)
To: Alan Rouse; +Cc: SE-Linux
On 04/12/2010 12:24 PM, Alan Rouse wrote:
> I'm getting the following when I log in via the gnome login gui
> (OpenSUSE 11.2) with dontaudit turned off:
> type=AVC msg=audit(1271099674.777:3): avc: denied { read } for pid=2475
> comm="gdm-session-wor" name="shadow" dev=sda2 ino=129609
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:shadow_t:s0 tclass=file
> type=AVC msg=audit(1271099674.780:4): avc: denied { open } for pid=2475
> comm="gdm-session-wor" name="shadow" dev=sda2 ino=129609
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:shadow_t:s0 tclass=file
> type=AVC msg=audit(1271099674.792:5): avc: denied { getattr } for
> pid=2475 comm="gdm-session-wor" path="/etc/shadow" dev=sda2 ino=129609
> scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:shadow_t:s0 tclass=file
> But I think the required access is prohibited via 'neverallow'.
> Suggestions welcome.
> Thanks
I think shadow is always rejected by the policy,
and chkpwd is allowed.
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: AVC accesing shadow during gnome login
2010-04-12 19:24 AVC accesing shadow during gnome login Alan Rouse
2010-04-13 1:23 ` Justin P. mattock
@ 2010-04-13 12:46 ` Daniel J Walsh
2010-04-13 14:10 ` Alan Rouse
1 sibling, 1 reply; 5+ messages in thread
From: Daniel J Walsh @ 2010-04-13 12:46 UTC (permalink / raw)
To: Alan Rouse; +Cc: SE-Linux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/12/2010 03:24 PM, Alan Rouse wrote:
> I'm getting the following when I log in via the gnome login gui (OpenSUSE 11.2) with dontaudit turned off:
>
> type=AVC msg=audit(1271099674.777:3): avc: denied { read } for pid=2475 comm="gdm-session-wor" name="shadow" dev=sda2 ino=129609 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
> type=AVC msg=audit(1271099674.780:4): avc: denied { open } for pid=2475 comm="gdm-session-wor" name="shadow" dev=sda2 ino=129609 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
> type=AVC msg=audit(1271099674.792:5): avc: denied { getattr } for pid=2475 comm="gdm-session-wor" path="/etc/shadow" dev=sda2 ino=129609 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
>
> But I think the required access is prohibited via 'neverallow'. Suggestions welcome.
>
> Thanks
>
>
>
>
xdm_t uses /sbin/unix_chkpwd to read the shadow file. The pam stack
will execute this program if it can not read shadow directly. In Fedora
and RHEL products we now attempt to execute /sbin/unix_chkpwd first and
then fail over to trying to read the shadow file.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvEZ44ACgkQrlYvE4MpobPI9gCfWmdjXO2iYgqrVMbt8mayugYJ
OP0An043xjA72tP9svgx89XBXF3ZTlsI
=Qkji
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: AVC accesing shadow during gnome login
2010-04-13 12:46 ` Daniel J Walsh
@ 2010-04-13 14:10 ` Alan Rouse
2010-04-13 15:17 ` Daniel J Walsh
0 siblings, 1 reply; 5+ messages in thread
From: Alan Rouse @ 2010-04-13 14:10 UTC (permalink / raw)
To: SE-Linux
> xdm_t uses /sbin/unix_chkpwd to read the shadow file.
> The pam stack will execute this program if it can not
> read shadow directly. In Fedora and RHEL products we
> now attempt to execute /sbin/unix_chkpwd first and then
> fail over to trying to read the shadow file.
I discovered this situation when I took some modules generated by audit2allow and added them as a layer inside the reference policy source tarball. The rpmbuild -bb <specfile> command reported a conflict between an allow rule (allow xdm_t shadow_t...) and a neverallow rule (a good thing!) What seems odd to me is that I can load that same module via semodule -i and it doesn't complain -- and access by xdm_t to shadow_t is allowed. Is that correct behavior for semodule -i?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: AVC accesing shadow during gnome login
2010-04-13 14:10 ` Alan Rouse
@ 2010-04-13 15:17 ` Daniel J Walsh
0 siblings, 0 replies; 5+ messages in thread
From: Daniel J Walsh @ 2010-04-13 15:17 UTC (permalink / raw)
To: Alan Rouse; +Cc: SE-Linux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/13/2010 10:10 AM, Alan Rouse wrote:
>> xdm_t uses /sbin/unix_chkpwd to read the shadow file.
>> The pam stack will execute this program if it can not
>> read shadow directly. In Fedora and RHEL products we
>> now attempt to execute /sbin/unix_chkpwd first and then
>> fail over to trying to read the shadow file.
>
> I discovered this situation when I took some modules generated by audit2allow and added them as a layer inside the reference policy source tarball. The rpmbuild -bb <specfile> command reported a conflict between an allow rule (allow xdm_t shadow_t...) and a neverallow rule (a good thing!) What seems odd to me is that I can load that same module via semodule -i and it doesn't complain -- and access by xdm_t to shadow_t is allowed. Is that correct behavior for semodule -i?
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
>
We are only enforcing neverallow at build time, because of the speed of
the compiler.
You can turn it on by editing /etc/selinux/semange.conf and turning on
expand-check=1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvEiwcACgkQrlYvE4MpobNKzgCgtJcuNDca4tQ+06BezbiIdvAI
VdsAn1e8LzjG+ZnzT+ckAYCygScnwwGK
=RsH6
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-04-13 15:17 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-04-12 19:24 AVC accesing shadow during gnome login Alan Rouse
2010-04-13 1:23 ` Justin P. mattock
2010-04-13 12:46 ` Daniel J Walsh
2010-04-13 14:10 ` Alan Rouse
2010-04-13 15:17 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.