PERFORCE change 68317 for review

Wed Jan 5 13:49:34 GMT 2005

http://perforce.freebsd.org/chv.cgi?CH=68317

Change 68317 by areisse at areisse_tislabs on 2005/01/05 13:49:08

	Policy and pwd_mkdb changes for passwd, vipw, and adduser with
	sebsd.

Affected files ...

.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/passwd.te#5 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/useradd.te#3 edit
.. //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/passwd.fc#5 edit
.. //depot/projects/trustedbsd/sebsd/usr.sbin/pwd_mkdb/pwd_mkdb.c#5 edit

Differences ...

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/passwd.te#5 (text+ko) ====

@@ -71,7 +71,6 @@
 base_passwd_domain($1, `auth_write, privowner')
 # Update /etc/shadow and /etc/passwd
 file_type_auto_trans($1_t, etc_t, shadow_t, file)
-allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto };
 can_setfscreate($1_t)
 ')
 
@@ -130,6 +129,9 @@
 # for /etc/alternatives/vi
 allow sysadm_passwd_t etc_t:lnk_file read;
 
+# access the terminal database
+r_dir_file(sysadm_passwd_t, usr_t)
+
 # for nscd lookups
 dontaudit sysadm_passwd_t var_run_t:dir search;
 
@@ -138,3 +140,33 @@
 allow passwd_t userdomain:file read;
 allow passwd_t userdomain:process getattr;
 
+#################################
+#
+# Rules for pwd_mkdb
+#
+type pwdmkdb_t, domain, auth_write, privowner;
+type pwdmkdb_exec_t, exec_type, file_type, sysadmfile;
+
+role system_r types pwdmkdb_t;
+role sysadm_r types pwdmkdb_t;
+
+general_domain_access(pwdmkdb_t);
+uses_shlib(pwdmkdb_t);
+
+rw_dir_file(pwdmkdb_t, etc_t);
+allow pwdmkdb_t {shadow_t etc_t}:file unlink;
+
+allow pwdmkdb_t privfd:fd use;
+
+file_type_auto_trans(pwdmkdb_t, etc_t, shadow_t, file)
+
+# Relabel password files.
+allow pwdmkdb_t {etc_t shadow_t}:file { relabelfrom relabelto };
+
+# passwords are changed from many source domains.
+allow pwdmkdb_t {ttyfile ptyfile}:chr_file { write };
+
+# passwd/vipw use pwd_mkdb for the actual updates.
+domain_auto_trans({passwd_t sysadm_passwd_t}, pwdmkdb_exec_t, pwdmkdb_t)
+allow {passwd_t sysadm_passwd_t} sbin_t:dir search;
+

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/domains/program/useradd.te#3 (text+ko) ====

@@ -41,15 +41,18 @@
 file_type_auto_trans($1_t, etc_t, shadow_t, file)
 allow $1_t etc_t:file create_file_perms;
 
+domain_auto_trans($1_t, pwdmkdb_exec_t, pwdmkdb_t)
+
 # some apps ask for these accesses, but seems to work regardless
 dontaudit $1_t var_run_t:dir search;
 r_dir_file($1_t,  selinux_config_t)
 
+dontaudit $1_t home_root_t:dir setattr;
+allow $1_t self:capability linux_immutable;
+
 # Set fscreate context.
 can_setfscreate($1_t)
 
-allow $1_t { etc_t shadow_t }:file { relabelfrom relabelto };
-
 read_locale($1_t)
 
 # useradd/userdel request read/write for /var/log/lastlog, and read of /dev, 
@@ -78,6 +81,11 @@
 file_type_auto_trans(useradd_t, home_root_t, user_home_dir_t, dir)
 file_type_auto_trans(useradd_t, user_home_dir_t, user_home_t)
 
+# Access /usr/share/skel
+r_dir_file(useradd_t, usr_t)
+
+allow useradd_t root_t:lnk_file read;
+
 # create/delete mail spool file in /var/mail
 allow useradd_t var_spool_t:dir search;
 allow useradd_t mail_spool_t:dir { search write add_name remove_name };

==== //depot/projects/trustedbsd/sebsd/contrib/sebsd/policy/file_contexts/program/passwd.fc#5 (text+ko) ====

@@ -10,3 +10,4 @@
 /usr/sbin/pwunconv	--	system_u:object_r:admin_passwd_exec_t
 /usr/sbin/grpconv	--	system_u:object_r:admin_passwd_exec_t
 /usr/sbin/grpunconv	--	system_u:object_r:admin_passwd_exec_t
+/usr/sbin/pwd_mkdb	--	system_u:object_r:pwdmkdb_exec_t
==== //depot/projects/trustedbsd/sebsd/usr.sbin/pwd_mkdb/pwd_mkdb.c#5 (text+ko) ====

@@ -56,6 +56,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
+#include <sys/mac.h>
 
 #include "pw_scan.h"
 
@@ -66,6 +67,9 @@
 #define LEGACY_VERSION(x)  _PW_VERSIONED(x, 3)
 #define CURRENT_VERSION(x) _PW_VERSIONED(x, 4)
 
+#define SEBSD_INSECURE  "sebsd/system_u:object_r:etc_t"
+#define SEBSD_SECURE    "sebsd/system_u:object_r:shadow_t"
+
 HASHINFO openinfo = {
 	4096,		/* bsize */
 	32,		/* ffactor */
@@ -86,7 +90,7 @@
 void	cleanup(void);
 void	error(const char *);
 void	cp(char *, char *, mode_t mode);
-void	mv(char *, char *);
+void	mv(char *, char *, const char *label);
 int	scan(FILE *, struct passwd *);
 static void	usage(void);
 
@@ -596,14 +600,14 @@
 	/* Install as the real password files. */
 	(void)snprintf(buf, sizeof(buf), "%s/%s.tmp", prefix, _MP_DB);
 	(void)snprintf(buf2, sizeof(buf2), "%s/%s", prefix, _MP_DB);
-	mv(buf, buf2);
+	mv(buf, buf2, SEBSD_INSECURE);
 	(void)snprintf(buf, sizeof(buf), "%s/%s.tmp", prefix, _SMP_DB);
 	(void)snprintf(buf2, sizeof(buf2), "%s/%s", prefix, _SMP_DB);
-	mv(buf, buf2);
+	mv(buf, buf2, SEBSD_INSECURE); /* XXX getty (etc) use this database incorrectly */
 	if (makeold) {
 		(void)snprintf(buf2, sizeof(buf2), "%s/%s", prefix, _PASSWD);
 		(void)snprintf(buf, sizeof(buf), "%s.orig", pname);
-		mv(buf, buf2);
+		mv(buf, buf2, SEBSD_INSECURE);
 	}
 	/*
 	 * Move the master password LAST -- chpass(1), passwd(1) and vipw(8)
@@ -612,7 +616,7 @@
 	 * can no longer be accessed.
 	 */
 	(void)snprintf(buf, sizeof(buf), "%s/%s", prefix, _MASTERPASSWD);
-	mv(pname, buf);
+	mv(pname, buf, SEBSD_SECURE);
 
 	/*
 	 * Close locked password file after rename()
@@ -704,8 +708,9 @@
 
 
 void
-mv(from, to)
+mv(from, to, label)
 	char *from, *to;
+	const char *label;
 {
 	char buf[MAXPATHLEN];
 
@@ -715,6 +720,17 @@
 		errno = sverrno;
 		error(buf);
 	}
+	if (label) {
+		mac_t mac;
+		if (mac_from_text(&mac, label)) {
+			warn("%s", to);
+			return;
+		}
+		if (mac_set_file(to, mac)) {
+			warn("%s", to);
+			return;
+		}
+	}
 }
 
 void
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

