From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D4024C43387 for ; Sat, 5 Jan 2019 23:23:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A206C222ED for ; Sat, 5 Jan 2019 23:23:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726364AbfAEXX6 (ORCPT ); Sat, 5 Jan 2019 18:23:58 -0500 Received: from mx1.polytechnique.org ([129.104.30.34]:45732 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726360AbfAEXX6 (ORCPT ); Sat, 5 Jan 2019 18:23:58 -0500 Received: from mail-ot1-f50.google.com (mail-ot1-f50.google.com [209.85.210.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id 92CBC564B26 for ; Sun, 6 Jan 2019 00:23:54 +0100 (CET) Received: by mail-ot1-f50.google.com with SMTP id 40so34999035oth.4 for ; Sat, 05 Jan 2019 15:23:54 -0800 (PST) X-Gm-Message-State: AJcUukfnyorttTOUC0IV3yU1A0Pniti4n1QAYE9c3wKFGePwwbelE9PM aoWqvqbGuogR/K7zdmZjvfCtLLIPIeBsW/jEDvI= X-Google-Smtp-Source: ALg8bN63QRuWcWKnZF5ICLpcYM/y+f+cPeSKLyLSIDK2bUOsYvlcBhtbjsLPeEA2DwRwP6sFnmJ2F8YFxz0GiahSHeA= X-Received: by 2002:a9d:3e4a:: with SMTP id h10mr41169121otg.74.1546730633603; Sat, 05 Jan 2019 15:23:53 -0800 (PST) MIME-Version: 1.0 From: Nicolas Iooss Date: Sun, 6 Jan 2019 00:23:42 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: nss-systemd D-Bus call caused by getpwent To: selinux-refpolicy@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Sun Jan 6 00:23:55 2019 +0100 (CET)) X-Org-Mail: nicolas.iooss.2010@polytechnique.org Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Hi, While testing the current master branch of refpolicy on Arch Linux, I encountered the following denial: type=USER_AVC msg=audit(1546729287.319:440): pid=312 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers dest=org.freedesktop.systemd1 spid=14828 tpid=1 scontext=system_u:system_r:sshd_t tcontext=system_u:system_r:init_t tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' My OpenSSH server is calling GetDynamicUsers() exposed by systemd over D-Bus. This call comes from systemd's NSSwitch module and occurs when OpenSSH calls setpwent() to get information about a user (https://github.com/systemd/systemd/blob/v240/src/nss-systemd/nss-systemd.c#L676). How should this be handled by refpolicy? For example, would adding a call to init_dbus_chat(nsswitch_domain) in a ifdef(`init_systemd') block be acceptable? This would allow any callers of auth_use_nsswitch() to be able to communicate with systemd's PID 1 over D-Bus. Cheers, Nicolas