Review of yubikey selinux policy

[William Brown <william@xxxxxxxxxxxxxxx>]

Hi,

The current policy for yubikeys only takes into account the otp
functions. In addition, the pam module supports a local challenge
response mode. 

I have attached a patch to allow chap to work for yubikeys with selinux
enabled. To note is that I have added a auth_home_rw_t type, as the pam
module reads from ~/.yubico/challenge-<tokenid> and then rewrites it
with a new challenge after the attempt. 

I would like to especially ask that the section for the chap tunable
policy be reviewed. In my testing, it seemed that login_pgm wasn't
sufficient, as staff_sudo_t didn't seem to be covered by this which is
why I have added the sudodomain components. I would like to know if
there is a better way to resolve this. 

Sincerely,

-- 
William Brown <william@xxxxxxxxxxxxxxx>

diff -uNrp serefpolicy-3.12.1.orig/policy/modules/system/authlogin.fc serefpolicy-3.12.1.work/policy/modules/system/authlogin.fc
--- serefpolicy-3.12.1.orig/policy/modules/system/authlogin.fc	2014-03-27 21:31:39.758132865 +1030
+++ serefpolicy-3.12.1.work/policy/modules/system/authlogin.fc	2014-03-27 21:57:30.974519141 +1030
@@ -1,7 +1,11 @@
-HOME_DIR/\.yubico(/.*)?				gen_context(system_u:object_r:auth_home_t,s0)
+HOME_DIR/\.yubico				gen_context(system_u:object_r:auth_home_rw_t,s0)
+HOME_DIR/\.yubico/challenge-(.*)				gen_context(system_u:object_r:auth_home_rw_t,s0)
+HOME_DIR/\.yubico/(.*)				gen_context(system_u:object_r:auth_home_t,s0)
 HOME_DIR/\.google_authenticator			gen_context(system_u:object_r:auth_home_t,s0)
 HOME_DIR/\.google_authenticator~		gen_context(system_u:object_r:auth_home_t,s0)
-/root/\.yubico(/.*)?				gen_context(system_u:object_r:auth_home_t,s0)
+/root/\.yubico				gen_context(system_u:object_r:auth_home_rw_t,s0)
+/root/\.yubico/challenge-(.*)				gen_context(system_u:object_r:auth_home_rw_t,s0)
+/root/\.yubico/(.*)				gen_context(system_u:object_r:auth_home_t,s0)
 /root/\.google_authenticator			gen_context(system_u:object_r:auth_home_t,s0)
 /root/\.google_authenticator~			gen_context(system_u:object_r:auth_home_t,s0)
 
diff -uNrp serefpolicy-3.12.1.orig/policy/modules/system/authlogin.te serefpolicy-3.12.1.work/policy/modules/system/authlogin.te
--- serefpolicy-3.12.1.orig/policy/modules/system/authlogin.te	2014-03-27 21:31:39.759132841 +1030
+++ serefpolicy-3.12.1.work/policy/modules/system/authlogin.te	2014-03-28 08:30:56.103650596 +1030
@@ -14,10 +14,17 @@ gen_tunable(authlogin_radius, false)
 
 ## <desc>
 ## <p>
-## Allow users to login using a yubikey  server
+## Allow users to login using a yubikey OTP server
 ## </p>
 ## </desc>
-gen_tunable(authlogin_yubikey, false)
+gen_tunable(authlogin_yubikey_otp, false)
+
+## <desc>
+## <p>
+## Allow users to login using a yubikey in challenge response mode
+## </p>
+## </desc>
+gen_tunable(authlogin_yubikey_chap, false)                                            
 
 ## <desc>
 ## <p>
@@ -39,6 +46,9 @@ logging_log_file(auth_cache_t)
 type auth_home_t;
 userdom_user_home_content(auth_home_t)
 
+type auth_home_rw_t;
+userdom_user_home_content(auth_home_rw_t)
+
 type chkpwd_t, can_read_shadow_passwords;
 type chkpwd_exec_t;
 typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t };
@@ -538,6 +548,9 @@ files_var_filetrans(login_pgm, auth_cach
 
 manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t)
 manage_files_pattern(login_pgm, auth_home_t, auth_home_t)
+manage_dirs_pattern(login_pgm, auth_home_rw_t, auth_home_rw_t)
+manage_files_pattern(login_pgm, auth_home_rw_t, auth_home_rw_t)
+
 auth_filetrans_admin_home_content(login_pgm)
 auth_filetrans_home_content(login_pgm)
 
@@ -549,10 +562,24 @@ tunable_policy(`authlogin_radius',`
 	corenet_udp_bind_all_unreserved_ports(login_pgm)
 ')
 
-tunable_policy(`authlogin_yubikey',`
+tunable_policy(`authlogin_yubikey_otp',`
 	corenet_tcp_connect_http_port(login_pgm)
 ')
 
+tunable_policy(`authlogin_yubikey_chap',`                                             
+    gen_require(`                                                                
+        attribute sudodomain;                                                    
+    ')   
+
+    manage_dirs_pattern(sudodomain, auth_home_rw_t, auth_home_rw_t)
+    manage_files_pattern(sudodomain, auth_home_rw_t, auth_home_rw_t)
+    allow sudodomain self:netlink_kobject_uevent_socket create_socket_perms;
+
+    manage_dirs_pattern(login_pgm, auth_home_rw_t, auth_home_rw_t)
+    manage_files_pattern(login_pgm, auth_home_rw_t, auth_home_rw_t)
+    allow login_pgm self:netlink_kobject_uevent_socket create_socket_perms;
+')
+
 corenet_tcp_connect_pki_ca_port(login_pgm)
 
 # for fingerprint readers

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux