Rework shadow transitions and access

shadow access is tightly controlled, with separate types for the shadow
files and the locks.  This patch distinguishes the two by enumerating
the backup filenames and lock file names in their associated file
transition rules.

Prior to this, the overbroad file transition rules would cause various
shadow-manipulating tools to create lock files with the incorrect
shadow_t label.

Signed-off-by: Antonio Enrico Russo <[email protected]>

Author: aerusso

policy/modules/admin/usermanage.te

@@ -249,7 +249,6 @@ auth_use_nsswitch(groupadd_t)
 # domtrans_chk_passwd() call.
 auth_manage_shadow(groupadd_t)
 auth_relabel_shadow(groupadd_t)
-auth_etc_filetrans_shadow(groupadd_t)
 
 seutil_read_config(groupadd_t)
 seutil_read_file_contexts(groupadd_t)
@@ -349,7 +348,6 @@ auth_run_chk_passwd(passwd_t, passwd_roles)
 auth_run_upd_passwd(passwd_t, passwd_roles)
 auth_manage_shadow(passwd_t)
 auth_relabel_shadow(passwd_t)
-auth_etc_filetrans_shadow(passwd_t)
 auth_use_nsswitch(passwd_t)
 
 # allow checking if a shell is executable
@@ -438,7 +436,6 @@ term_use_all_ptys(sysadm_passwd_t)
 
 auth_manage_shadow(sysadm_passwd_t)
 auth_relabel_shadow(sysadm_passwd_t)
-auth_etc_filetrans_shadow(sysadm_passwd_t)
 auth_use_nsswitch(sysadm_passwd_t)
 
 # allow vipw to exec the editor
@@ -534,7 +531,6 @@ auth_use_nsswitch(useradd_t)
 # domtrans_chk_passwd() call.
 auth_manage_shadow(useradd_t)
 auth_relabel_shadow(useradd_t)
-auth_etc_filetrans_shadow(useradd_t)
 
 init_use_fds(useradd_t)
 init_rw_utmp(useradd_t)

policy/modules/system/authlogin.if

@@ -719,6 +719,8 @@ interface(`auth_manage_shadow',`
 	auth_manage_shadow_history($1)
 	auth_rw_shadow_lock($1)
 	allow $1 shadow_t:file manage_file_perms;
+	auth_etc_filetrans_shadow($1, "shadow-")
+	auth_etc_filetrans_shadow($1, "gshadow-")
 	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
 ')
 
@@ -859,9 +861,13 @@ interface(`auth_relabel_shadow',`
 interface(`auth_rw_shadow_lock',`
 	gen_require(`
 		type shadow_lock_t;
+		type etc_t;
 	')
 
-	rw_files_pattern($1, shadow_lock_t, shadow_lock_t)
+	files_etc_filetrans($1, shadow_lock_t, file, ".pwd.lock")
+	files_etc_filetrans($1, shadow_lock_t, file, "passwd.lock")
+	files_etc_filetrans($1, shadow_lock_t, file, "group.lock")
+	rw_files_pattern($1, etc_t, shadow_lock_t)
 ')
 
 ########################################

policy/modules/system/systemd.te

@@ -1893,7 +1893,6 @@ kernel_read_kernel_sysctls(systemd_sysusers_t)
 selinux_use_status_page(systemd_sysusers_t)
 
 auth_manage_shadow(systemd_sysusers_t)
-auth_etc_filetrans_shadow(systemd_sysusers_t)
 auth_use_nsswitch(systemd_sysusers_t)
 
 seutil_libselinux_linked(systemd_sysusers_t)