SELinux-Refpolicy Archive on lore.kernel.org
 help / Atom feed
* nss-systemd D-Bus call caused by getpwent
@ 2019-01-05 23:23 Nicolas Iooss
  2019-01-06  7:33 ` Dominick Grift
  0 siblings, 1 reply; 5+ messages in thread
From: Nicolas Iooss @ 2019-01-05 23:23 UTC (permalink / raw)
  To: selinux-refpolicy

Hi,
While testing the current master branch of refpolicy on Arch Linux, I
encountered the following denial:

type=USER_AVC msg=audit(1546729287.319:440): pid=312 uid=81
auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
msg='avc:  denied  { send_msg } for msgtype=method_call
interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers
dest=org.freedesktop.systemd1 spid=14828 tpid=1
scontext=system_u:system_r:sshd_t tcontext=system_u:system_r:init_t
tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81
hostname=? addr=? terminal=?'

My OpenSSH server is calling GetDynamicUsers() exposed by systemd over
D-Bus. This call comes from systemd's NSSwitch module and occurs when
OpenSSH calls setpwent() to get information about a user
(https://github.com/systemd/systemd/blob/v240/src/nss-systemd/nss-systemd.c#L676).
How should this be handled by refpolicy? For example, would adding a
call to init_dbus_chat(nsswitch_domain) in a ifdef(`init_systemd')
block be acceptable? This would allow any callers of
auth_use_nsswitch() to be able to communicate with systemd's PID 1
over D-Bus.

Cheers,
Nicolas


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: nss-systemd D-Bus call caused by getpwent
  2019-01-05 23:23 nss-systemd D-Bus call caused by getpwent Nicolas Iooss
@ 2019-01-06  7:33 ` Dominick Grift
  2019-01-06 18:56   ` Chris PeBenito
  0 siblings, 1 reply; 5+ messages in thread
From: Dominick Grift @ 2019-01-06  7:33 UTC (permalink / raw)
  To: Nicolas Iooss; +Cc: selinux-refpolicy

Nicolas Iooss <nicolas.iooss@m4x.org> writes:

> Hi,
> While testing the current master branch of refpolicy on Arch Linux, I
> encountered the following denial:
>
> type=USER_AVC msg=audit(1546729287.319:440): pid=312 uid=81
> auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
> msg='avc:  denied  { send_msg } for msgtype=method_call
> interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers
> dest=org.freedesktop.systemd1 spid=14828 tpid=1
> scontext=system_u:system_r:sshd_t tcontext=system_u:system_r:init_t
> tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81
> hostname=? addr=? terminal=?'
>
> My OpenSSH server is calling GetDynamicUsers() exposed by systemd over
> D-Bus. This call comes from systemd's NSSwitch module and occurs when
> OpenSSH calls setpwent() to get information about a user
> (https://github.com/systemd/systemd/blob/v240/src/nss-systemd/nss-systemd.c#L676).
> How should this be handled by refpolicy? For example, would adding a
> call to init_dbus_chat(nsswitch_domain) in a ifdef(`init_systemd')
> block be acceptable? This would allow any callers of
> auth_use_nsswitch() to be able to communicate with systemd's PID 1
> over D-Bus.

FWIW I have this in my nss macro too, However I have two nss macros, one
base macro and one superset that has this call amongst others
(mymachines resolve etc) I only give nss base access to my confined
users since they will never have access to any objects associated with
userns uids/gids anyways so they shouldnt get into a position where they
need to resolve them (except confined sysadm)
>
> Cheers,
> Nicolas
>

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: nss-systemd D-Bus call caused by getpwent
  2019-01-06  7:33 ` Dominick Grift
@ 2019-01-06 18:56   ` Chris PeBenito
  2019-01-06 19:27     ` Dominick Grift
  0 siblings, 1 reply; 5+ messages in thread
From: Chris PeBenito @ 2019-01-06 18:56 UTC (permalink / raw)
  To: Dominick Grift, Nicolas Iooss; +Cc: selinux-refpolicy

On 1/6/19 2:33 AM, Dominick Grift wrote:
> Nicolas Iooss <nicolas.iooss@m4x.org> writes:
> 
>> Hi,
>> While testing the current master branch of refpolicy on Arch Linux, I
>> encountered the following denial:
>>
>> type=USER_AVC msg=audit(1546729287.319:440): pid=312 uid=81
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
>> msg='avc:  denied  { send_msg } for msgtype=method_call
>> interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers
>> dest=org.freedesktop.systemd1 spid=14828 tpid=1
>> scontext=system_u:system_r:sshd_t tcontext=system_u:system_r:init_t
>> tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81
>> hostname=? addr=? terminal=?'
>>
>> My OpenSSH server is calling GetDynamicUsers() exposed by systemd over
>> D-Bus. This call comes from systemd's NSSwitch module and occurs when
>> OpenSSH calls setpwent() to get information about a user
>> (https://github.com/systemd/systemd/blob/v240/src/nss-systemd/nss-systemd.c#L676).
>> How should this be handled by refpolicy? For example, would adding a
>> call to init_dbus_chat(nsswitch_domain) in a ifdef(`init_systemd')
>> block be acceptable? This would allow any callers of
>> auth_use_nsswitch() to be able to communicate with systemd's PID 1
>> over D-Bus.
> 
> FWIW I have this in my nss macro too, However I have two nss macros, one
> base macro and one superset that has this call amongst others
> (mymachines resolve etc) I only give nss base access to my confined
> users since they will never have access to any objects associated with
> userns uids/gids anyways so they shouldnt get into a position where they
> need to resolve them (except confined sysadm)

I've been dissatisfied with what auth_use_nsswitch() and auth_use_pam() 
have turned into, as I think they're too big.  It's not an easy thing to 
define due them being inherently extensible.  What you describe is one 
possible good direction to go towards.  I was also concerned about all 
of the network access that is allowed by it and thought about splitting 
out the local accesses into a base interface.


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: nss-systemd D-Bus call caused by getpwent
  2019-01-06 18:56   ` Chris PeBenito
@ 2019-01-06 19:27     ` Dominick Grift
  2019-01-06 21:37       ` Nicolas Iooss
  0 siblings, 1 reply; 5+ messages in thread
From: Dominick Grift @ 2019-01-06 19:27 UTC (permalink / raw)
  To: Chris PeBenito; +Cc: Nicolas Iooss, selinux-refpolicy

Chris PeBenito <pebenito@ieee.org> writes:

> On 1/6/19 2:33 AM, Dominick Grift wrote:
>> Nicolas Iooss <nicolas.iooss@m4x.org> writes:
>>
>>> Hi,
>>> While testing the current master branch of refpolicy on Arch Linux, I
>>> encountered the following denial:
>>>
>>> type=USER_AVC msg=audit(1546729287.319:440): pid=312 uid=81
>>> auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
>>> msg='avc:  denied  { send_msg } for msgtype=method_call
>>> interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers
>>> dest=org.freedesktop.systemd1 spid=14828 tpid=1
>>> scontext=system_u:system_r:sshd_t tcontext=system_u:system_r:init_t
>>> tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81
>>> hostname=? addr=? terminal=?'
>>>
>>> My OpenSSH server is calling GetDynamicUsers() exposed by systemd over
>>> D-Bus. This call comes from systemd's NSSwitch module and occurs when
>>> OpenSSH calls setpwent() to get information about a user
>>> (https://github.com/systemd/systemd/blob/v240/src/nss-systemd/nss-systemd.c#L676).
>>> How should this be handled by refpolicy? For example, would adding a
>>> call to init_dbus_chat(nsswitch_domain) in a ifdef(`init_systemd')
>>> block be acceptable? This would allow any callers of
>>> auth_use_nsswitch() to be able to communicate with systemd's PID 1
>>> over D-Bus.
>>
>> FWIW I have this in my nss macro too, However I have two nss macros, one
>> base macro and one superset that has this call amongst others
>> (mymachines resolve etc) I only give nss base access to my confined
>> users since they will never have access to any objects associated with
>> userns uids/gids anyways so they shouldnt get into a position where they
>> need to resolve them (except confined sysadm)
>
> I've been dissatisfied with what auth_use_nsswitch() and
> auth_use_pam() have turned into, as I think they're too big.  It's not
> an easy thing to define due them being inherently extensible.  What
> you describe is one possible good direction to go towards.  I was also
> concerned about all of the network access that is allowed by it and
> thought about splitting out the local accesses into a base interface.

I agree, but it gets hard to maintain if you split all the individual
nss modules.

The solution i implemented in my policy also has its limitations and
assumptions, and is pretty much all or almost nothing.

Atleast you have the init_systemd tunable which atleast addresses the
various nss_systemd modules to some degree.

I only allow my confined unpriv users to read passwd and nss config, the
drawback of this is that these shells cannot use /proc/net/"protocol"
which is nice on the one hand for confined shells but it "breaks" bash

Its a tough issue

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: nss-systemd D-Bus call caused by getpwent
  2019-01-06 19:27     ` Dominick Grift
@ 2019-01-06 21:37       ` Nicolas Iooss
  0 siblings, 0 replies; 5+ messages in thread
From: Nicolas Iooss @ 2019-01-06 21:37 UTC (permalink / raw)
  To: Dominick Grift, Chris PeBenito; +Cc: selinux-refpolicy

On Sun, Jan 6, 2019 at 8:27 PM Dominick Grift <dac.override@gmail.com> wrote:
>
> Chris PeBenito <pebenito@ieee.org> writes:
>
> > On 1/6/19 2:33 AM, Dominick Grift wrote:
> >> Nicolas Iooss <nicolas.iooss@m4x.org> writes:
> >>
> >>> Hi,
> >>> While testing the current master branch of refpolicy on Arch Linux, I
> >>> encountered the following denial:
> >>>
> >>> type=USER_AVC msg=audit(1546729287.319:440): pid=312 uid=81
> >>> auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
> >>> msg='avc:  denied  { send_msg } for msgtype=method_call
> >>> interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers
> >>> dest=org.freedesktop.systemd1 spid=14828 tpid=1
> >>> scontext=system_u:system_r:sshd_t tcontext=system_u:system_r:init_t
> >>> tclass=dbus permissive=0  exe="/usr/bin/dbus-daemon" sauid=81
> >>> hostname=? addr=? terminal=?'
> >>>
> >>> My OpenSSH server is calling GetDynamicUsers() exposed by systemd over
> >>> D-Bus. This call comes from systemd's NSSwitch module and occurs when
> >>> OpenSSH calls setpwent() to get information about a user
> >>> (https://github.com/systemd/systemd/blob/v240/src/nss-systemd/nss-systemd.c#L676).
> >>> How should this be handled by refpolicy? For example, would adding a
> >>> call to init_dbus_chat(nsswitch_domain) in a ifdef(`init_systemd')
> >>> block be acceptable? This would allow any callers of
> >>> auth_use_nsswitch() to be able to communicate with systemd's PID 1
> >>> over D-Bus.
> >>
> >> FWIW I have this in my nss macro too, However I have two nss macros, one
> >> base macro and one superset that has this call amongst others
> >> (mymachines resolve etc) I only give nss base access to my confined
> >> users since they will never have access to any objects associated with
> >> userns uids/gids anyways so they shouldnt get into a position where they
> >> need to resolve them (except confined sysadm)
> >
> > I've been dissatisfied with what auth_use_nsswitch() and
> > auth_use_pam() have turned into, as I think they're too big.  It's not
> > an easy thing to define due them being inherently extensible.  What
> > you describe is one possible good direction to go towards.  I was also
> > concerned about all of the network access that is allowed by it and
> > thought about splitting out the local accesses into a base interface.
>
> I agree, but it gets hard to maintain if you split all the individual
> nss modules.
>
> The solution i implemented in my policy also has its limitations and
> assumptions, and is pretty much all or almost nothing.
>
> Atleast you have the init_systemd tunable which atleast addresses the
> various nss_systemd modules to some degree.
>
> I only allow my confined unpriv users to read passwd and nss config, the
> drawback of this is that these shells cannot use /proc/net/"protocol"
> which is nice on the one hand for confined shells but it "breaks" bash
>
> Its a tough issue

All right, I agree restricting auth_use_nsswitch() and auth_use_pam()
is tough, and I do not have enough time of take care of this issue by
creating a new minimal interface.
Moreover, when I see users of auth_use_nsswitch(), I have the
impression that most of them use it for host name resolution, which
does not use nss-systemd module. Therefore I also agree with only
adding init_dbus_chat(sshd_t) for the issue I had, which is what
commit ef6c7f155e10 ("systemd misc") did.

Thanks for your comments.
Nicolas


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, back to index

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-05 23:23 nss-systemd D-Bus call caused by getpwent Nicolas Iooss
2019-01-06  7:33 ` Dominick Grift
2019-01-06 18:56   ` Chris PeBenito
2019-01-06 19:27     ` Dominick Grift
2019-01-06 21:37       ` Nicolas Iooss

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable: git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox