From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 908F01381F3 for ; Wed, 10 Apr 2013 19:55:56 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 475B1E0A62; Wed, 10 Apr 2013 19:55:55 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C02EBE0A62 for ; Wed, 10 Apr 2013 19:55:54 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id B0E8833DB86 for ; Wed, 10 Apr 2013 19:55:53 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 4F10DE4073 for ; Wed, 10 Apr 2013 19:55:52 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1365623614.6c7a5a623e83dbcebae78ca667020cecb990387a.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/selinuxutil.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 6c7a5a623e83dbcebae78ca667020cecb990387a X-VCS-Branch: master Date: Wed, 10 Apr 2013 19:55:52 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 4d2c1d03-6f5d-4a80-8d62-59f174433195 X-Archives-Hash: 802f1344211d0665185a792834e79af7 commit: 6c7a5a623e83dbcebae78ca667020cecb990387a Author: Sven Vermeulen siphos be> AuthorDate: Wed Apr 10 19:53:34 2013 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Wed Apr 10 19:53:34 2013 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6c7a5a62 Support passwordless service handling When using Gentoo init scripts, we transition to run_init_t before calling run_init. That means that when run_init runs and checks the PAM services, the pam_rootok.so calls will look for the previous context (which already is run_init_t) and check if that context is allowed to "accept root" as a sufficient authentication measure. run_init_t doesn't (well, didn't with this patch), which makes this check fail. When calling services with run_init directly (like "run_init rc-service sshd status") then the previous context is (most likely) the sysadm_t one, which does have this permission. See also http://blog.siphos.be/2013/04/not-needing-run_init-for-password-less-service-management/ --- policy/modules/system/selinuxutil.te | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 4cba334..cc13e63 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -639,6 +639,11 @@ ifdef(`distro_gentoo',` # # setfiles local policy # + gen_require(` + class passwd { passwd chfn chsh rootok }; + ') + + allow run_init_t self:passwd rootok; files_read_all_symlinks(setfiles_t) ')