xpra icon
Bug tracker and wiki

Changes between Version 1 and Version 2 of Ticket #1679


Ignore:
Timestamp:
11/09/17 08:00:08 (3 years ago)
Author:
Antoine Martin
Comment:

That's caused by this new rule neverallow authlogin_typeattr_1 shadow_t (file (read))):

sudo neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/authlogin/cil:261
  (neverallow authlogin_typeattr_1 shadow_t (file (read)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/400/xpra_socketactivation/cil:126
      (allow xpra_t shadow_t (file (read getattr open)))

Failed to generate binary
semodule:  Failed!

The port error is a red herring: it occurs because the policy failed to load.

Problem is that we need to access shadow_t to verify passwords..

SELinux insides – Part2: Neverallow assertions: We need to be sure that we do not allow any unwanted/unsecure/dangerous actions. For example, we do not want to allow ordinary services to access /etc/shadow. We are not an ordinary service since we do authentication against the system passwords.

I followed all the rules and built policy with audit2allow and the semodule command blows up: sshd currently uses PAM to check passwords. One of the PAM modules that sshd uses is pam_unix. This module first tries to read /etc/shadow directly. If it gets permission denied it executes /sbin/unix_chkpwd. unix_chkpwd accepts the user name and password and indicates to pam_unix whether the password matches the username.

Maybe we can get by with "dontaudit" and let PAM fallback to chkpwd?

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #1679

    • Property Summary changed from fedora 27 selinux policy error: xpra_port_t must be a port type to fedora 27 selinux policy error
  • Ticket #1679 – Description

    v1 v2  
    55PITA
    66
     7This affects upgrades as well as installs.
     8
    79selinux related tickets:
    810* #1283