Mc/nsswitch usage #330
Mc/nsswitch usage #330
Conversation
Fixes :
denied { read } for pid=80 comm="agetty" name="userdb" dev="tmpfs" ino=809 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=dir permissive=1
denied { open } for pid=80 comm="agetty" path="/run/systemd/userdb" dev="tmpfs" ino=809 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=dir permissive=1
denied { getattr } for pid=80 comm="agetty" path="/run/systemd/userdb" dev="tmpfs" ino=809 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=dir permissive=1
denied { search } for pid=80 comm="agetty" name="userdb" dev="tmpfs" ino=809 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=dir permissive=1
denied { write } for pid=80 comm="agetty" name="io.systemd.DynamicUser" dev="tmpfs" ino=811 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=sock_file permissive=1
denied { connectto } for pid=80 comm="agetty" path="/run/systemd/userdb/io.systemd.DynamicUser" scontext=system_u:system_r:getty_t tcontext=system_u:system_r:init_t tclass=unix_stream_socket permissive=1
Suggested-by: Antoine Tenart <atenart@kernel.org>
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Fixes :
denied { write } for pid=49 comm="systemd-tmpfile" name="io.systemd.DynamicUser" dev="tmpfs" ino=811 scontext=system_u:system_r:systemd_tmpfiles_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=sock_file permissive=1
denied { connectto } for pid=49 comm="systemd-tmpfile" path="/run/systemd/userdb/io.systemd.DynamicUser" scontext=system_u:system_r:systemd_tmpfiles_t tcontext=system_u:system_r:init_t tclass=unix_stream_socket permissive=1
Suggested-by: Antoine Tenart <atenart@kernel.org>
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
| @@ -84,6 +84,7 @@ term_setattr_unallocated_ttys(getty_t) | |||
| term_setattr_console(getty_t) | |||
|
|
|||
| auth_rw_login_records(getty_t) | |||
| auth_use_nsswitch(getty_t) | |||
There was a problem hiding this comment.
This seems strange, do you know why this is happening in the first place?
There was a problem hiding this comment.
Sorry I should have added more context.
This is actually due to interactions with io.systemd.DynamicUsers and userdb.
Adding auth_use_nsswitch(getty_t) fixes the following avc errors on a Buildroot-based system :
audit: type=1400 audit(1610032673.915:3): avc: denied { read } for pid=75 comm="agetty" name="userdb" dev="tmpfs" ino=812 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=dir permissive=1
audit: type=1400 audit(1610032673.915:3): avc: denied { open } for pid=75 comm="agetty" path="/run/systemd/userdb" dev="tmpfs" ino=812 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=dir permissive=1
audit: type=1400 audit(1610032673.959:4): avc: denied { getattr } for pid=75 comm="agetty" path="/run/systemd/userdb" dev="tmpfs" ino=812 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=dir permissive=1
audit: type=1400 audit(1610032673.979:5): avc: denied { search } for pid=75 comm="agetty" name="userdb" dev="tmpfs" ino=812 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=dir permissive=1
audit: type=1400 audit(1610032673.979:5): avc: denied { write } for pid=75 comm="agetty" name="io.systemd.DynamicUser" dev="tmpfs" ino=814 scontext=system_u:system_r:getty_t tcontext=system_u:object_r:systemd_userdb_runtime_t tclass=sock_file permissive=1
There was a problem hiding this comment.
It seems like this shouldn't be necessary since AFAICS agetty only does host/domainname lookups. Does agetty break over those denials? If not, maybe we should split up auth_use_nsswitch() into different nsswitch services.
|
Chris PeBenito <notifications@github.com> writes:
@pebenito commented on this pull request.
------------------------------------------------------------------------------------------------------------
In policy/modules/system/getty.te:
> @@ -84,6 +84,7 @@ term_setattr_unallocated_ttys(getty_t)
term_setattr_console(getty_t)
auth_rw_login_records(getty_t)
+auth_use_nsswitch(getty_t)
It seems like this shouldn't be necessary since AFAICS agetty only does host/domainname lookups. Does agetty
break over those denials? If not, maybe we should split up auth_use_nsswitch() into different nsswitch
services.
I do not think it does host/domain name lookups (why would it?), instead it uses nss
password/group, not sure why though but it does chowns/fsetids the
terminals and it does list /etc, so those could explain why it may want to
resolve names from passwd/group
The DynamicUser also indicates that its about resolving user/group names
…
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
|
|
I did some digging and I found agetty uses getty will read in the username but that is passed to the login program which does the lookups, authentication and tty chmod/relabel; agetty doesn't do any processing with the username. It does do a |
|
These rules ended up merging in #359. Sorry for letting this hang. Thanks for your contribution! |
Hello,
This PR adds the use of auth_use_nsswitch() for getty and systemd-tmpfiles, as discussed in PR #307 .
Now that PR #269 is merged, we can use auth_use_nsswitch to solve issues where getty and systemd-tmpfiles would need to access the userdb.
Any review is welcome !
Thanks to @atenart for starting this work.
Regards,
Maxime