Rework shadow transitions and access

shadow access is tightly controlled, with separate types for the shadow
files and the locks.  This patch distinguishes the two by enumerating
the backup filenames and lock file names in their associated file
transition rules.

Prior to this, the overbroad file transition rules would cause various
shadow-manipulating tools to create lock files with the incorrect
shadow_t label.

Signed-off-by: Antonio Enrico Russo <[email protected]>

Author: aerusso

policy/modules/admin/usermanage.te

@@ -246,7 +246,7 @@ auth_use_nsswitch(groupadd_t)
 # domtrans_chk_passwd() call.
 auth_manage_shadow(groupadd_t)
 auth_relabel_shadow(groupadd_t)
-auth_etc_filetrans_shadow(groupadd_t)
+auth_filetrans_shadow(groupadd_t)
 
 seutil_read_config(groupadd_t)
 seutil_read_file_contexts(groupadd_t)
@@ -346,7 +346,7 @@ auth_run_chk_passwd(passwd_t, passwd_roles)
 auth_run_upd_passwd(passwd_t, passwd_roles)
 auth_manage_shadow(passwd_t)
 auth_relabel_shadow(passwd_t)
-auth_etc_filetrans_shadow(passwd_t)
+auth_filetrans_shadow(passwd_t)
 auth_use_nsswitch(passwd_t)
 
 # allow checking if a shell is executable
@@ -435,7 +435,7 @@ term_use_all_ptys(sysadm_passwd_t)
 
 auth_manage_shadow(sysadm_passwd_t)
 auth_relabel_shadow(sysadm_passwd_t)
-auth_etc_filetrans_shadow(sysadm_passwd_t)
+auth_filetrans_shadow(sysadm_passwd_t)
 auth_use_nsswitch(sysadm_passwd_t)
 
 # allow vipw to exec the editor
@@ -531,7 +531,7 @@ auth_use_nsswitch(useradd_t)
 # domtrans_chk_passwd() call.
 auth_manage_shadow(useradd_t)
 auth_relabel_shadow(useradd_t)
-auth_etc_filetrans_shadow(useradd_t)
+auth_filetrans_shadow(useradd_t)
 
 init_use_fds(useradd_t)
 init_rw_utmp(useradd_t)

policy/modules/services/nis.te

@@ -199,7 +199,7 @@ selinux_get_fs_mount(yppasswdd_t)
 
 auth_manage_shadow(yppasswdd_t)
 auth_relabel_shadow(yppasswdd_t)
-auth_etc_filetrans_shadow(yppasswdd_t)
+auth_filetrans_shadow(yppasswdd_t)
 
 logging_send_syslog_msg(yppasswdd_t)
 

policy/modules/system/authlogin.if

@@ -847,6 +847,23 @@ interface(`auth_relabel_shadow',`
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
 
+########################################
+## <summary>
+##	File transitions for shadow files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain with file transition.
+##	</summary>
+## </param>
+#
+interface(`auth_filetrans_shadow',`
+	auth_etc_filetrans_shadow($1, "shadow")
+	auth_etc_filetrans_shadow($1, "gshadow")
+	auth_etc_filetrans_shadow($1, "shadow-")
+	auth_etc_filetrans_shadow($1, "gshadow-")
+')
+
 ########################################
 ## <summary>
 ##	Read/Write shadow lock files.
@@ -860,9 +877,18 @@ interface(`auth_relabel_shadow',`
 interface(`auth_rw_shadow_lock',`
 	gen_require(`
 		type shadow_lock_t;
+		type shadow_t;
 	')
 
 	allow $1 shadow_lock_t:file rw_file_perms;
+	ifelse(`$2',`',`
+		files_etc_filetrans($1, shadow_lock_t, file, ".pwd.lock")
+		files_etc_filetrans($1, shadow_lock_t, file, "passwd.lock")
+		files_etc_filetrans($1, shadow_lock_t, file, "group.lock")
+	',`
+		refpolicywarn(`$0($*) second parameter is deprecated.')
+		files_etc_filetrans($1, shadow_t, file, $2)
+	')
 ')
 
 ########################################

policy/modules/system/authlogin.te

@@ -412,6 +412,7 @@ term_dontaudit_use_console(updpwd_t)
 term_dontaudit_use_unallocated_ttys(updpwd_t)
 
 auth_manage_shadow(updpwd_t)
+auth_filetrans_shadow(updpwd_t)
 auth_use_nsswitch(updpwd_t)
 
 logging_send_syslog_msg(updpwd_t)

policy/modules/system/systemd.te

@@ -2077,7 +2077,7 @@ kernel_read_kernel_sysctls(systemd_sysusers_t)
 selinux_use_status_page(systemd_sysusers_t)
 
 auth_manage_shadow(systemd_sysusers_t)
-auth_etc_filetrans_shadow(systemd_sysusers_t)
+auth_filetrans_shadow(systemd_sysusers_t)
 auth_use_nsswitch(systemd_sysusers_t)
 
 seutil_libselinux_linked(systemd_sysusers_t)