From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
Date: Tue, 26 Mar 2019 10:17:33 +0000 (UTC) [thread overview]
Message-ID: <1553508325.8eb6fcff84e1c7e037c4b5b18ab36e00283bc4ec.perfinion@gentoo> (raw)
commit: 8eb6fcff84e1c7e037c4b5b18ab36e00283bc4ec
Author: Sugar, David <dsugar <AT> tresys <DOT> com>
AuthorDate: Tue Mar 5 22:33:50 2019 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8eb6fcff
Update cron use to pam interface
I'm seeing a many denials for cron related to faillog_t, lastlog_t
and wtmp_t. These are all due to the fact cron is using pam (and my
system is configured with pam_faillog). I have updated cron to use
auth_use_pam interface to grant needed permissions.
Additional change to allow systemd_logind dbus for cron.
I have included many of the denials I'm seeing, but there are probably
others I didn't capture.
type=AVC msg=audit(1551411001.389:1281): avc: denied { read write } for pid=8807 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551411001.389:1281): avc: denied { open } for pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551411001.389:1281): arch=c000003e syscall=2 success=yes exit=3 a0=7f94f608c2ee a1=2 a2=0 a3=75646f6d6d61705f items=1 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key="logins"
type=AVC msg=audit(1551411001.389:1282): avc: denied { lock } for pid=8807 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551411001.389:1282): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=8807 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1551411001.389:1283): avc: denied { write } for pid=8807 comm="crond" name="wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551411001.389:1283): avc: denied { open } for pid=8807 comm="crond" path="/var/log/wtmp" dev="dm-14" ino=103 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.489:1513): avc: denied { getattr } for pid=7323 comm="systemd-logind" path="/proc/9183/cgroup" dev="proc" ino=49836 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1514): avc: denied { read write } for pid=9183 comm="crond" name="lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1514): avc: denied { open } for pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=AVC msg=audit(1551412201.511:1515): avc: denied { lock } for pid=9183 comm="crond" path="/var/log/lastlog" dev="dm-14" ino=102 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1551412201.511:1515): arch=c000003e syscall=72 success=yes exit=0 a0=3 a1=6 a2=7ffc882a83d0 a3=75646f6d6d61705f items=0 ppid=7345 pid=9183 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm="crond" exe="/usr/sbin/crond" subj=system_u:system_r:crond_t:s0-s0:c0.c1023 key=(null)
type=USER_START msg=audit(1551412201.511:1516): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1551412201.512:1517): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1551412201.524:1521): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1551412201.525:1522): pid=9183 uid=0 auid=0 ses=7 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_lastlog acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_AVC msg=audit(1551629402.000:21914): pid=7387 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=CreateSession dest=org.freedesktop.login1 spid=6407 tpid=7395 scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
policy/modules/services/cron.te | 4 ++--
policy/modules/system/authlogin.if | 3 +--
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index f58f6d15..0a19e09c 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -315,9 +315,8 @@ init_start_all_units(system_cronjob_t)
init_get_generic_units_status(system_cronjob_t)
init_get_system_status(system_cronjob_t)
-auth_domtrans_chk_passwd(crond_t)
auth_manage_var_auth(crond_t)
-auth_use_nsswitch(crond_t)
+auth_use_pam(crond_t)
logging_send_audit_msgs(crond_t)
logging_send_syslog_msg(crond_t)
@@ -439,6 +438,7 @@ optional_policy(`
')
optional_policy(`
+ systemd_dbus_chat_logind(crond_t)
systemd_write_inherited_logind_sessions_pipes(crond_t)
')
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 1ebd8814..702f38f1 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -51,10 +51,9 @@ interface(`auth_use_pam',`
auth_domtrans_chk_passwd($1)
auth_domtrans_upd_passwd($1)
auth_dontaudit_read_shadow($1)
- auth_read_login_records($1)
- auth_append_login_records($1)
auth_rw_lastlog($1)
auth_rw_faillog($1)
+ auth_rw_login_records($1)
auth_setattr_faillog_files($1)
auth_exec_pam($1)
auth_use_nsswitch($1)
next reply other threads:[~2019-03-26 10:17 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-26 10:17 Jason Zaman [this message]
-- strict thread matches above, loose matches on Subject: below --
2024-09-22 0:03 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/ Jason Zaman
2023-10-06 16:44 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2021-01-11 1:27 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-02-15 7:33 Jason Zaman
2019-03-26 10:17 Jason Zaman
2019-02-10 4:14 Jason Zaman
2018-12-09 11:48 Jason Zaman
2017-12-12 7:59 Jason Zaman
2017-11-17 14:59 Jason Zaman
2017-01-13 18:43 Sven Vermeulen
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-17 16:59 Jason Zaman
2015-05-27 20:00 Jason Zaman
2014-06-30 19:03 Sven Vermeulen
2014-06-30 19:03 Sven Vermeulen
2014-06-10 18:17 Sven Vermeulen
2013-12-06 17:33 Sven Vermeulen
2012-12-07 15:36 Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1553508325.8eb6fcff84e1c7e037c4b5b18ab36e00283bc4ec.perfinion@gentoo \
--to=perfinion@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox