Date: Wed, 5 Jan 2005 13:49:34 GMT From: Andrew Reisse <areisse@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 68317 for review Message-ID: <200501051349.j05DnYb0012228@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=68317 Change 68317 by areisse@areisse_tislabs on 2005/01/05 13:49:08 Policy and pwd_mkdb changes for passwd, vipw, and adduser with sebsd. Affected files ... .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/passwd.te#5 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/useradd.te#3 edit .. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/passwd.fc#5 edit .. //depot/projects/trustedbsd/sebsd/usr.sbin/pwd_mkdb/pwd_mkdb.c#5 edit Differences ... ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/passwd.te#5 (text+ko) ==== @@ -71,7 +71,6 @@ base_passwd_domain($1, `auth_write, privowner') # Update /etc/shadow and /etc/passwd file_type_auto_trans($1_t, etc_t, shadow_t, file) -allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto }; can_setfscreate($1_t) ') @@ -130,6 +129,9 @@ # for /etc/alternatives/vi allow sysadm_passwd_t etc_t:lnk_file read; +# access the terminal database +r_dir_file(sysadm_passwd_t, usr_t) + # for nscd lookups dontaudit sysadm_passwd_t var_run_t:dir search; @@ -138,3 +140,33 @@ allow passwd_t userdomain:file read; allow passwd_t userdomain:process getattr; +################################# +# +# Rules for pwd_mkdb +# +type pwdmkdb_t, domain, auth_write, privowner; +type pwdmkdb_exec_t, exec_type, file_type, sysadmfile; + +role system_r types pwdmkdb_t; +role sysadm_r types pwdmkdb_t; + +general_domain_access(pwdmkdb_t); +uses_shlib(pwdmkdb_t); + +rw_dir_file(pwdmkdb_t, etc_t); +allow pwdmkdb_t {shadow_t etc_t}:file unlink; + +allow pwdmkdb_t privfd:fd use; + +file_type_auto_trans(pwdmkdb_t, etc_t, shadow_t, file) + +# Relabel password files. +allow pwdmkdb_t {etc_t shadow_t}:file { relabelfrom relabelto }; + +# passwords are changed from many source domains. +allow pwdmkdb_t {ttyfile ptyfile}:chr_file { write }; + +# passwd/vipw use pwd_mkdb for the actual updates. +domain_auto_trans({passwd_t sysadm_passwd_t}, pwdmkdb_exec_t, pwdmkdb_t) +allow {passwd_t sysadm_passwd_t} sbin_t:dir search; + ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/useradd.te#3 (text+ko) ==== @@ -41,15 +41,18 @@ file_type_auto_trans($1_t, etc_t, shadow_t, file) allow $1_t etc_t:file create_file_perms; +domain_auto_trans($1_t, pwdmkdb_exec_t, pwdmkdb_t) + # some apps ask for these accesses, but seems to work regardless dontaudit $1_t var_run_t:dir search; r_dir_file($1_t, selinux_config_t) +dontaudit $1_t home_root_t:dir setattr; +allow $1_t self:capability linux_immutable; + # Set fscreate context. can_setfscreate($1_t) -allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto }; - read_locale($1_t) # useradd/userdel request read/write for /var/log/lastlog, and read of /dev, @@ -78,6 +81,11 @@ file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir) file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t) +# Access /usr/share/skel +r_dir_file(useradd_t, usr_t) + +allow useradd_t root_t:lnk_file read; + # create/delete mail spool file in /var/mail allow useradd_t var_spool_t:dir search; allow useradd_t mail_spool_t:dir { search write add_name remove_name }; ==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/passwd.fc#5 (text+ko) ==== @@ -10,3 +10,4 @@ /usr/sbin/pwunconv -- system_u:object_r:admin_passwd_exec_t /usr/sbin/grpconv -- system_u:object_r:admin_passwd_exec_t /usr/sbin/grpunconv -- system_u:object_r:admin_passwd_exec_t +/usr/sbin/pwd_mkdb -- system_u:object_r:pwdmkdb_exec_t ==== //depot/projects/trustedbsd/sebsd/usr.sbin/pwd_mkdb/pwd_mkdb.c#5 (text+ko) ==== @@ -56,6 +56,7 @@ #include <stdlib.h> #include <string.h> #include <unistd.h> +#include <sys/mac.h> #include "pw_scan.h" @@ -66,6 +67,9 @@ #define LEGACY_VERSION(x) _PW_VERSIONED(x, 3) #define CURRENT_VERSION(x) _PW_VERSIONED(x, 4) +#define SEBSD_INSECURE "sebsd/system_u:object_r:etc_t" +#define SEBSD_SECURE "sebsd/system_u:object_r:shadow_t" + HASHINFO openinfo = { 4096, /* bsize */ 32, /* ffactor */ @@ -86,7 +90,7 @@ void cleanup(void); void error(const char *); void cp(char *, char *, mode_t mode); -void mv(char *, char *); +void mv(char *, char *, const char *label); int scan(FILE *, struct passwd *); static void usage(void); @@ -596,14 +600,14 @@ /* Install as the real password files. */ (void)snprintf(buf, sizeof(buf), "%s/%s.tmp", prefix, _MP_DB); (void)snprintf(buf2, sizeof(buf2), "%s/%s", prefix, _MP_DB); - mv(buf, buf2); + mv(buf, buf2, SEBSD_INSECURE); (void)snprintf(buf, sizeof(buf), "%s/%s.tmp", prefix, _SMP_DB); (void)snprintf(buf2, sizeof(buf2), "%s/%s", prefix, _SMP_DB); - mv(buf, buf2); + mv(buf, buf2, SEBSD_INSECURE); /* XXX getty (etc) use this database incorrectly */ if (makeold) { (void)snprintf(buf2, sizeof(buf2), "%s/%s", prefix, _PASSWD); (void)snprintf(buf, sizeof(buf), "%s.orig", pname); - mv(buf, buf2); + mv(buf, buf2, SEBSD_INSECURE); } /* * Move the master password LAST -- chpass(1), passwd(1) and vipw(8) @@ -612,7 +616,7 @@ * can no longer be accessed. */ (void)snprintf(buf, sizeof(buf), "%s/%s", prefix, _MASTERPASSWD); - mv(pname, buf); + mv(pname, buf, SEBSD_SECURE); /* * Close locked password file after rename() @@ -704,8 +708,9 @@ void -mv(from, to) +mv(from, to, label) char *from, *to; + const char *label; { char buf[MAXPATHLEN]; @@ -715,6 +720,17 @@ errno = sverrno; error(buf); } + if (label) { + mac_t mac; + if (mac_from_text(&mac, label)) { + warn("%s", to); + return; + } + if (mac_set_file(to, mac)) { + warn("%s", to); + return; + } + } } void
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200501051349.j05DnYb0012228>