From 9812e9c0eff34b72d8c85ea92cb33887ab34adf3 Mon Sep 17 00:00:00 2001 From: Dave Sugar Date: Fri, 14 Jul 2023 23:03:55 -0400 Subject: [PATCH] Label pwhistory_helper pwhistory_helper is executed by pam_pwhistory (as configued in /etc/pam.d/sysem-auth). It updates /etc/security/opasswd which contains old passwords. Label /etc/security/opasswd as shadow_t to control access. node=localhost type=AVC msg=audit(1689391847.287:8989): avc: denied { execute } for pid=2667 comm="passwd" name="pwhistory_helper" dev="dm-1" ino=402516 scontext=toor_u:staff_r:passwd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1689391847.287:8989): avc: denied { read open } for pid=2667 comm="passwd" path="/usr/sbin/pwhistory_helper" dev="dm-1" ino=402516 scontext=toor_u:staff_r:passwd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1689391847.287:8989): avc: denied { execute_no_trans } for pid=2667 comm="passwd" path="/usr/sbin/pwhistory_helper" dev="dm-1" ino=402516 scontext=toor_u:staff_r:passwd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1689391847.287:8989): avc: denied { map } for pid=2667 comm="pwhistory_helpe" path="/usr/sbin/pwhistory_helper" dev="dm-1" ino=402516 scontext=toor_u:staff_r:passwd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar --- policy/modules/admin/usermanage.te | 1 + policy/modules/system/authlogin.fc | 3 +++ policy/modules/system/authlogin.te | 1 + 3 files changed, 5 insertions(+) diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 7e71118c9f..30b3061c41 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -334,6 +334,7 @@ term_use_all_ttys(passwd_t) term_use_all_ptys(passwd_t) auth_run_chk_passwd(passwd_t, passwd_roles) +auth_run_upd_passwd(passwd_t, passwd_roles) auth_manage_shadow(passwd_t) auth_relabel_shadow(passwd_t) auth_etc_filetrans_shadow(passwd_t) diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc index 50efcff7bf..4b5a72bc85 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -4,6 +4,8 @@ /etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0) /etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) /etc/tcb(/.*)? -- gen_context(system_u:object_r:shadow_t,s0) +/etc/security/opasswd -- gen_context(system_u:object_r:shadow_t,s0) +/etc/security/opasswd\.old -- gen_context(system_u:object_r:shadow_t,s0) /usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0) /usr/bin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) @@ -24,6 +26,7 @@ /usr/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0) /usr/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0) +/usr/sbin/pwhistory_helper -- gen_context(system_u:object_r:updpwd_exec_t,s0) /usr/sbin/tcb_convert -- gen_context(system_u:object_r:updpwd_exec_t,s0) /usr/sbin/tcb_unconvert -- gen_context(system_u:object_r:updpwd_exec_t,s0) /usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index ab15b40d67..a62f993f06 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -391,6 +391,7 @@ files_manage_etc_files(updpwd_t) term_dontaudit_use_console(updpwd_t) term_dontaudit_use_unallocated_ttys(updpwd_t) +auth_etc_filetrans_shadow(updpwd_t) auth_manage_shadow(updpwd_t) auth_use_nsswitch(updpwd_t)