Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 401595 - chsh doesn't work in enforcing mode ~amd64/selinux
Summary: chsh doesn't work in enforcing mode ~amd64/selinux
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-01-30 23:03 UTC by Amadeusz Sławiński
Modified: 2012-04-29 15:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Amadeusz Sławiński 2012-01-30 23:03:44 UTC
chsh cannot change shell as root or user(staff_u) haven't tested with user_u but probably also fails

seems like it cannot work with /etc/.pwd.lock (system_u:object_r:shadow_t) file

Trying to change shell with enforcing mode:

Jan 31 00:00:12 localhost kernel: [ 6099.295297] type=1400 audit(1327964412.806:650): avc:  denied  { write } for  pid=18351 comm="chsh" name=".pwd.lock" dev="dm-0" ino=7414347 scontext=staff_u:sysadm_r:chfn_t tcontext=system_u:object_r:shadow_t tclass=file

Changing shell in permissive:
Jan 31 00:00:34 localhost kernel: [ 6121.390495] type=1400 audit(1327964434.946:652): avc:  denied  { write } for  pid=18355 comm="chsh" name=".pwd.lock" dev="dm-0" ino=7414347 scontext=staff_u:sysadm_r:chfn_t tcontext=system_u:object_r:shadow_t tclass=file
Jan 31 00:00:35 localhost kernel: [ 6121.543743] type=1400 audit(1327964435.099:653): avc:  denied  { execute } for  pid=18357 comm="chsh" name="nscd" dev="dm-0" ino=25749590 scontext=staff_u:sysadm_r:chfn_t tcontext=system_u:object_r:nscd_exec_t tclass=file
Jan 31 00:00:35 localhost kernel: [ 6121.543759] type=1400 audit(1327964435.099:654): avc:  denied  { read open } for  pid=18357 comm="chsh" name="nscd" dev="dm-0" ino=25749590 scontext=staff_u:sysadm_r:chfn_t tcontext=system_u:object_r:nscd_exec_t tclass=file
Jan 31 00:00:35 localhost kernel: [ 6121.543877] type=1400 audit(1327964435.099:655): avc:  denied  { execute_no_trans } for  pid=18357 comm="chsh" path="/usr/sbin/nscd" dev="dm-0" ino=25749590 scontext=staff_u:sysadm_r:chfn_t tcontext=system_u:object_r:nscd_exec_t tclass=file


Reproducible: Always

Steps to Reproduce:
1. run chsh
2. enter new shell
Actual Results:  
Changing the login shell for root
Enter the new value, or press ENTER for the default
	Login Shell [/bin/bash]: /bin/zsh
chsh: cannot lock /etc/passwd; try again later.


Expected Results:  
Changes shell

Portage 2.1.10.44 (hardened/linux/amd64/selinux, gcc-4.5.3, glibc-2.14.1-r2, 3.2.2-hardened-r1 x86_64)
=================================================================
System uname: Linux-3.2.2-hardened-r1-x86_64-Intel-R-_Core-TM-_i3_CPU_M_350_@_2.27GHz-with-gentoo-2.1
Timestamp of tree: Mon, 30 Jan 2012 19:30:01 +0000
app-shells/bash:          4.2_p20
dev-lang/python:          2.7.2-r3, 3.2.2
dev-util/cmake:           2.8.6-r4
dev-util/pkgconfig:       0.26
sys-apps/baselayout:      2.1
sys-apps/openrc:          0.9.8.2
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.13, 2.68
sys-devel/automake:       1.9.6-r3, 1.11.2-r1
sys-devel/binutils:       2.22-r1
sys-devel/gcc:            4.5.3-r2, 4.7.0_alpha20120114::hardened-dev
sys-devel/gcc-config:     1.5-r2
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r3
sys-kernel/linux-headers: 3.2 (virtual/os-headers)
sys-libs/glibc:           2.14.1-r2
Repositories: gentoo hardened-dev my_local_overlay
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA Intel-SDP PUEL"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox selinux sesandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS=""
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/hardened-development /usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X acpi alsa amd64 bash-completion berkdb bzip2 cli cracklib crypt cxx dbus dri gdbm gif gpm hardened iconv jpeg justify mmx modules mudflap multilib ncurses nls nptl nptlonly open_perms opengl openmp pam pax_kernel pcre png pppd readline selinux session sse sse2 ssl ssse3 sysfs system-sqlite tcpd tiff truetype udev unicode urandom usb v4l vim-syntax xinerama xorg zlib zsh-completion" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby19" USERLAND="GNU" VIDEO_CARDS="nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-02-08 21:09:16 UTC
I'm not that happy with the two obvious scenario's here:

- allow chfn_t to manage shadow_t files (or even just write to them if that's all that was needed). After all, it should only update the passwd file. Sadly, it uses the /etc/.pwd.lock file as a locking file to ensure updates aren't crossing each other. But granting it access to shadow_t opens a path for more disclosure (or even modification of) which I really don't want to do.

- make /etc/.pwd.lock an etc_t file instead of shadow_t. Although I don't know if there is a risk here, it strikes me that this file is explicitly marked as a shadow_t file in our policy. "Lowering" its type to etc_t *might* make it susceptible to race conditions from less trusted resources (which do have etc_t write privileges)

Going to check with some other authorative sources on this one
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-03-27 19:32:45 UTC
Checking upstream

See http://oss.tresys.com/pipermail/refpolicy/2012-March/005027.html
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-04-06 12:14:42 UTC
Ok, going to mark .pwd.lock as etc_t for now.
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-04-22 08:38:14 UTC
In hardened-dev overlay (since 2012-04-11, forgot to update bugreport)

You might need to restorecon /etc/.pwd.lock after updating the policies at first.
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-04-22 11:55:22 UTC
In main tree, ~arch'ed
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2012-04-29 15:13:53 UTC
Stable