Thanks for the suggestion. My program still doesn't work yet, but I notice that /var/log/messages has: Jul 6 12:43:55 localhost kernel: security: context unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 is invalid What would make this invlaid? Thanks, Brian -----Original Message----- From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] Sent: Tuesday, July 07, 2009 4:57 AM To: Brian Ginn Cc: 'fedora-selinux-list@xxxxxxxxxx'; Joshua Brindle Subject: RE: getpwnam and SELinux On Mon, 2009-07-06 at 18:23 -0700, Brian Ginn wrote: > Thanks for the response! > > My RHEL 5.3 box doesn't have the -D option for semodule , so I moved to Fedora 9. > I still don't see a relevant AVC message. > > My policy, a sample run, and a test program are shown below. > I get the same results running it unconfined as root. > Note the role statement identified below still shows up with audit2allow, even though it is in the policy Hmmm...bug in the policy compiler, maybe? I don't see unconfined_r in a require block in your policy module. Try adding: role unconfined_r; to the first gen_require() block. > Thanks, > Brian > > > [root@localhost t]# cat t_getpw.te > policy_module(t_getpw,1.0.0) > > type t_getpw_t; > type t_getpw_exec_t; > > gen_require(` > type unconfined_t; > ') > domain_auto_trans(unconfined_t, t_getpw_exec_t, t_getpw_t ) > > auth_can_read_shadow_passwords( t_getpw_t ); > auth_read_shadow( t_getpw_t ); > auth_tunable_read_shadow( t_getpw_t ); > auth_use_nsswitch( t_getpw_t ); > auth_domtrans_chk_passwd(t_getpw_t) > > gen_require(` > type ld_so_cache_t; > type ld_so_t; > type lib_t; > type root_t; > type sshd_t; > type unconfined_devpts_t; > ') > > #============= t_getpw_t ============== > allow t_getpw_t ld_so_cache_t:file { read getattr }; > allow t_getpw_t ld_so_t:file read; > allow t_getpw_t lib_t:dir search; > allow t_getpw_t lib_t:file { read getattr execute }; > allow t_getpw_t lib_t:lnk_file read; > allow t_getpw_t root_t:dir search; > allow t_getpw_t sshd_t:fd use; > allow t_getpw_t t_getpw_exec_t:file entrypoint; > allow t_getpw_t unconfined_devpts_t:chr_file { read write getattr }; > allow t_getpw_t unconfined_t:fd use; > allow t_getpw_t unconfined_t:process sigchld; > > #============= unconfined_t ============== > allow unconfined_t t_getpw_t:dir { getattr search }; > allow unconfined_t t_getpw_t:file read; > allow unconfined_t t_getpw_t:process { siginh getattr rlimitinh noatsecure }; > > #curiously, this role statement still shows up with audit2allow: > role unconfined_r types t_getpw_exec_t; > > #=========== pam_t and vmware_host_t are probably not related > #=========== but always show up in audit.log > > gen_require(` > type pam_t; > type initrc_var_run_t; > type vmware_host_t; > type xdm_xserver_t; > ') > #============= pam_t ============== > allow pam_t initrc_var_run_t:file write; > > #============= vmware_host_t ============== > allow vmware_host_t t_getpw_t:dir { search getattr }; > allow vmware_host_t t_getpw_t:file read; > allow vmware_host_t xdm_xserver_t:process ptrace; > > > [root@localhost t]# cat t_getpw.fc > > /usr/local/bin/t_getpwnam -- gen_context(system_u:object_r:t_getpw_exec_t,s0) > > [root@localhost t]# > > > > > Loading Policy > + /usr/sbin/semodule -i t_getpw.pp > + '[' 0 -ne 0 ']' > + /sbin/restorecon -F -R -v /usr/local/bin/t_getpwnam > /sbin/restorecon reset /usr/local/bin/t_getpwnam context unconfined_u:object_r:bin_t:s0->system_u:object_r:t_getpw_exec_t:s0 > + setenforce 1 > + setenforce 0 > + semodule -DB > [root@localhost t]# /usr/local/bin/t_getpwnam bginn > Calling getpwnam for user: bginn > USER:bginn UID:500 pwd:x > DONE. > [root@localhost t]# cat /var/log/audit/audit.log > type=AVC msg=audit(1246903716.331:18364): avc: denied { ptrace } for pid=1665 comm="vmware-guestd" scontext=system_u:system_r:vmware_host_t:s0 tcontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=process > type=SYSCALL msg=audit(1246903716.331:18364): arch=c000003e syscall=89 per=400000 success=yes exit=19 a0=7fff06c1c7b0 a1=7fff06c1b7a0 a2=1000 a3=0 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmware-guestd" exe="/usr/lib/vmware-tools/sbin64/vmware-guestd" subj=system_u:system_r:vmware_host_t:s0 key=(null) > type=SELINUX_ERR msg=audit(1246903718.119:18365): security_compute_sid: invalid context unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:t_getpw_exec_t:s0 tclass=process > type=SYSCALL msg=audit(1246903718.119:18365): arch=c000003e syscall=59 success=yes exit=0 a0=bfcbd0 a1=c06760 a2=c06cb0 a3=8 items=0 ppid=16180 pid=16315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=6 comm="t_getpwnam" exe="/usr/local/bin/t_getpwnam" subj=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(1246903726.351:18366): avc: denied { search } for pid=1665 comm="vmware-guestd" name="16315" dev=proc ino=83606 scontext=system_u:system_r:vmware_host_t:s0 tcontext=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 tclass=dir > type=AVC msg=audit(1246903726.351:18366): avc: denied { read } for pid=1665 comm="vmware-guestd" name="cmdline" dev=proc ino=83608 scontext=system_u:system_r:vmware_host_t:s0 tcontext=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 tclass=file > type=SYSCALL msg=audit(1246903726.351:18366): arch=c000003e syscall=2 per=400000 success=yes exit=12 a0=7fff06c0b190 a1=0 a2=13 a3=8101010101010100 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmware-guestd" exe="/usr/lib/vmware-tools/sbin64/vmware-guestd" subj=system_u:system_r:vmware_host_t:s0 key=(null) > type=AVC msg=audit(1246903726.352:18367): avc: denied { getattr } for pid=1665 comm="vmware-guestd" path="/proc/16315" dev=proc ino=83606 scontext=system_u:system_r:vmware_host_t:s0 tcontext=unconfined_u:unconfined_r:t_getpw_t:s0-s0:c0.c1023 tclass=dir > type=SYSCALL msg=audit(1246903726.352:18367): arch=c000003e syscall=4 per=400000 success=yes exit=0 a0=7fff06c0b190 a1=7fff06c0b590 a2=7fff06c0b590 a3=0 items=0 ppid=1 pid=1665 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vmware-guestd" exe="/usr/lib/vmware-tools/sbin64/vmware-guestd" subj=system_u:system_r:vmware_host_t:s0 key=(null) > [root@localhost t]# cat /var/log/audit/audit.log| audit2allow > > > #============= vmware_host_t ============== > allow vmware_host_t t_getpw_t:dir { search getattr }; > allow vmware_host_t t_getpw_t:file read; > allow vmware_host_t xdm_xserver_t:process ptrace; > > =========== ROLES =============== > role unconfined_r types t_getpw_exec_t; > [root@localhost t]# > > > > [root@localhost t]# cat t_getpwnam.c > #include <stdlib.h> > #include <pwd.h> > #include <sys/types.h> > #include <stdio.h> > > int main( int argc, char** argv ) > { > struct passwd *p; > char* user = NULL; > > sleep(9); > > if( argc != 2 ) > { > printf("must have username as argument\n"); > exit(1); > } > > user = argv[1]; > > printf("Calling getpwnam for user: %s\n", user); > > setpwent(); > p = getpwnam( user ); > if( p == NULL ) > { > printf("User not found (or error).\n"); > }else{ > printf("USER:%s UID:%d pwd:%s\n", p->pw_name, p->pw_uid, p->pw_passwd ); > } > endpwent(); > > printf("DONE.\n"); > return( 0 ); > } > [root@localhost t]# > > > > > -----Original Message----- > From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] > Sent: Thursday, July 02, 2009 4:53 AM > To: Brian Ginn > Cc: 'fedora-selinux-list@xxxxxxxxxx' > Subject: Re: getpwnam and SELinux > > On Wed, 2009-07-01 at 16:15 -0700, Brian Ginn wrote: > > I have an app that I'm trying to confine. > > > > > > > > In enforcing mode, getpwnam() returns "X" for the pw_passwd field. > > > > > > > > Is there SELinux policy to allow this app to get the shadow passwd? > > > > I've tried the following without success: > > > > auth_can_read_shadow_passwords( ) > > > > auth_read_shadow( ) > > > > auth_tunable_read_shadow( ) > > > > auth_use_nsswitch( ) > > Can you show us the actual denial? Run semodule -DB first if you don't > get any denials, and then run semodule -B afterward. Also, post > your .te file. > -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list