New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mc/nsswitch usage #330
Mc/nsswitch usage #330
Conversation
Fixes : denied { read } for pid=80 comm="agetty" name="userdb" dev="tmpfs" ino=809 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=dir permissive=1 denied { open } for pid=80 comm="agetty" path="/run/systemd/userdb" dev="tmpfs" ino=809 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=dir permissive=1 denied { getattr } for pid=80 comm="agetty" path="/run/systemd/userdb" dev="tmpfs" ino=809 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=dir permissive=1 denied { search } for pid=80 comm="agetty" name="userdb" dev="tmpfs" ino=809 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=dir permissive=1 denied { write } for pid=80 comm="agetty" name="io.systemd.DynamicUser" dev="tmpfs" ino=811 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=sock_file permissive=1 denied { connectto } for pid=80 comm="agetty" path="/run/systemd/userdb/io.systemd.DynamicUser" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:init_t tclass=unix_stream_socket permissive=1 Suggested-by: Antoine Tenart <atenart@kernel.org> Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Fixes : denied { write } for pid=49 comm="systemd-tmpfile" name="io.systemd.DynamicUser" dev="tmpfs" ino=811 scontext=system_u:system_r:systemd_tmpfiles_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=sock_file permissive=1 denied { connectto } for pid=49 comm="systemd-tmpfile" path="/run/systemd/userdb/io.systemd.DynamicUser" scontext=system_u:system_r:systemd_tmpfiles_t tcontext=system_u:system_r:init_t tclass=unix_stream_socket permissive=1 Suggested-by: Antoine Tenart <atenart@kernel.org> Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
@@ -84,6 +84,7 @@ term_setattr_unallocated_ttys(getty_t) | |||
term_setattr_console(getty_t) | |||
|
|||
auth_rw_login_records(getty_t) | |||
auth_use_nsswitch(getty_t) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems strange, do you know why this is happening in the first place?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry I should have added more context.
This is actually due to interactions with io.systemd.DynamicUsers and userdb.
Adding auth_use_nsswitch(getty_t) fixes the following avc errors on a Buildroot-based system :
audit: type=1400 audit(1610032673.915:3): avc: denied { read } for pid=75 comm="agetty" name="userdb" dev="tmpfs" ino=812 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=dir permissive=1
audit: type=1400 audit(1610032673.915:3): avc: denied { open } for pid=75 comm="agetty" path="/run/systemd/userdb" dev="tmpfs" ino=812 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=dir permissive=1
audit: type=1400 audit(1610032673.959:4): avc: denied { getattr } for pid=75 comm="agetty" path="/run/systemd/userdb" dev="tmpfs" ino=812 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=dir permissive=1
audit: type=1400 audit(1610032673.979:5): avc: denied { search } for pid=75 comm="agetty" name="userdb" dev="tmpfs" ino=812 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=dir permissive=1
audit: type=1400 audit(1610032673.979:5): avc: denied { write } for pid=75 comm="agetty" name="io.systemd.DynamicUser" dev="tmpfs" ino=814 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=sock_file permissive=1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems like this shouldn't be necessary since AFAICS agetty only does host/domainname lookups. Does agetty break over those denials? If not, maybe we should split up auth_use_nsswitch()
into different nsswitch services.
Chris PeBenito <notifications@github.com> writes:
@pebenito commented on this pull request.
------------------------------------------------------------------------------------------------------------
In policy/modules/system/getty.te:
> @@ -84,6 +84,7 @@ term_setattr_unallocated_ttys(getty_t)
term_setattr_console(getty_t)
auth_rw_login_records(getty_t)
+auth_use_nsswitch(getty_t)
It seems like this shouldn't be necessary since AFAICS agetty only does host/domainname lookups. Does agetty
break over those denials? If not, maybe we should split up auth_use_nsswitch() into different nsswitch
services.
I do not think it does host/domain name lookups (why would it?), instead it uses nss
password/group, not sure why though but it does chowns/fsetids the
terminals and it does list /etc, so those could explain why it may want to
resolve names from passwd/group
The DynamicUser also indicates that its about resolving user/group names
…
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
|
I did some digging and I found agetty uses getty will read in the username but that is passed to the login program which does the lookups, authentication and tty chmod/relabel; agetty doesn't do any processing with the username. It does do a |
These rules ended up merging in #359. Sorry for letting this hang. Thanks for your contribution! |
Hello,
This PR adds the use of auth_use_nsswitch() for getty and systemd-tmpfiles, as discussed in PR #307 .
Now that PR #269 is merged, we can use auth_use_nsswitch to solve issues where getty and systemd-tmpfiles would need to access the userdb.
Any review is welcome !
Thanks to @atenart for starting this work.
Regards,
Maxime