Resolve local_login_t denials #131

mpalmi · 2015-04-24T17:03:14Z

In order to get this system booting in Enforcing, we will need to resolve the remaining kernel_t denials.

Assumptions:

Work will be done off of mpalmi/clip@95bafa0
Allow rules are needed to get CLIP booting in Enforcing
Least privilege access model will be employed
refpolicy guidelines for policy development will be followed.

Subtasks:

Ensure all files are properly labeled
Make sure kernel_t denials are resolved by Resolve kernel denials #126
Resolve staff_t key denials

audit2allow

#============= local_login_t ==============
allow local_login_t kernel_t:unix_dgram_socket sendto;
allow local_login_t staff_t:key { write search };

audit.log

28:type=CRED_DISP msg=audit(1429891501.782:828): pid=613 uid=0 auid=1000 ses=2 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="toor" exe="/usr/bin/login" hostname=? addr=? terminal=tty1 res=success'
29:type=AVC msg=audit(1429891501.784:829): avc:  denied  { search } for  pid=613 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
30:type=AVC msg=audit(1429891501.784:829): avc:  denied  { write } for  pid=613 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
31:type=SYSCALL msg=audit(1429891501.784:829): arch=c000003e syscall=250 success=yes exit=0 a0=3 a1=9ac374c a2=7fd119a0682f a3=7fd119c1a2e0 items=0 ppid=1 pid=613 auid=1000 uid=0 gid=1000 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
32:type=AVC msg=audit(1429891501.786:830): avc:  denied  { sendto } for  pid=613 comm="login" path="/dev/log" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
33:type=SYSCALL msg=audit(1429891501.786:830): arch=c000003e syscall=42 success=yes exit=0 a0=1 a1=7fd11a662740 a2=6e a3=1c items=0 ppid=1 pid=613 auid=1000 uid=0 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 key=(null)
34:type=USER_END msg=audit(1429891501.786:831): pid=613 uid=0 auid=1000 ses=2 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="toor" exe="/usr/bin/login" hostname=? addr=? terminal=tty1 res=success'

The text was updated successfully, but these errors were encountered:

- Needed after a `chage -d 0 $USERNAME`

mpalmi · 2015-06-04T17:14:31Z

Remaining denials:

#============= local_login_t ==============
allow local_login_t kernel_t:unix_dgram_socket sendto;
allow local_login_t shadow_t:file { write rename create unlink setattr };
allow local_login_t staff_t:key { write link };
allow local_login_t sysctl_crypto_t:dir search;
allow local_login_t sysctl_crypto_t:file { read getattr open };

type=AVC msg=audit(1433423000.229:414): avc:  denied  { sendto } for  pid=616 comm="login" path="/dev/log" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1433423022.952:423): avc:  denied  { write } for  pid=1236 comm="login" name=".pwd.lock" dev="dm-1" ino=4758 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1433423022.961:424): avc:  denied  { search } for  pid=1236 comm="login" name="crypto" dev="proc" ino=13063 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
type=AVC msg=audit(1433423022.961:424): avc:  denied  { read } for  pid=1236 comm="login" name="fips_enabled" dev="proc" ino=13064 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1433423022.961:424): avc:  denied  { open } for  pid=1236 comm="login" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=13064 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1433423022.961:425): avc:  denied  { getattr } for  pid=1236 comm="login" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=13064 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1433423022.968:426): avc:  denied  { create } for  pid=1236 comm="login" name="nshadow" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1433423022.968:427): avc:  denied  { setattr } for  pid=1236 comm="login" name="nshadow" dev="dm-1" ino=4579 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1433423022.969:428): avc:  denied  { rename } for  pid=1236 comm="login" name="nshadow" dev="dm-1" ino=4579 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1433423022.969:428): avc:  denied  { unlink } for  pid=1236 comm="login" name="shadow" dev="dm-1" ino=7001 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1433423022.975:433): avc:  denied  { write } for  pid=1236 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1433423022.975:433): avc:  denied  { link } for  pid=1236 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key

ghost · 2015-09-09T20:22:53Z

@mpalmi can this issue be closed?

ghost · 2015-09-15T15:15:15Z

@mpalmi can this be closed?

mpalmi · 2015-09-15T15:31:24Z

Okay, so there are remaining denials here (with dontaudits turned off):

type=AVC msg=audit(1442254013.580:627): avc:  denied  { search } for  pid=614 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442254013.580:627): avc:  denied  { write } for  pid=614 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442254013.607:631): avc:  denied  { sendto } for  pid=614 comm="login" path="/dev/log" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1442254055.728:412): avc:  denied  { sendto } for  pid=616 comm="login" path="/dev/log" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1442254071.076:424): avc:  denied  { write } for  pid=1239 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442254071.076:424): avc:  denied  { link } for  pid=1239 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442254103.006:461): avc:  denied  { search } for  pid=1239 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442254103.006:461): avc:  denied  { search } for  pid=1239 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442254103.009:462): avc:  denied  { sendto } for  pid=1239 comm="login" path="/dev/log" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1442254248.335:418): avc:  denied  { write } for  pid=624 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442254248.335:418): avc:  denied  { link } for  pid=624 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442254248.344:419): avc:  denied  { sendto } for  pid=624 comm="login" path="/dev/log" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1442254355.341:505): avc:  denied  { search } for  pid=624 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442254355.341:505): avc:  denied  { write } for  pid=624 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442254355.342:506): avc:  denied  { sendto } for  pid=624 comm="login" path="/dev/log" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1442254396.281:417): avc:  denied  { write } for  pid=619 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442254396.281:417): avc:  denied  { link } for  pid=619 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442254396.288:418): avc:  denied  { sendto } for  pid=619 comm="login" path="/dev/log" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1442254451.496:498): avc:  denied  { search } for  pid=619 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442254451.496:498): avc:  denied  { write } for  pid=619 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442254914.326:418): avc:  denied  { write } for  pid=614 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442254914.326:418): avc:  denied  { link } for  pid=614 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442254914.334:419): avc:  denied  { sendto } for  pid=614 comm="login" path="/dev/log" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1442255010.098:504): avc:  denied  { search } for  pid=614 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442255010.098:504): avc:  denied  { write } for  pid=614 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442255010.157:512): avc:  denied  { sendto } for  pid=614 comm="login" path="/dev/log" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1442266395.331:447): avc:  denied  { write } for  pid=612 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442266395.331:447): avc:  denied  { link } for  pid=612 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442266395.337:448): avc:  denied  { sendto } for  pid=612 comm="login" path="/dev/log" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1442266693.339:529): avc:  denied  { search } for  pid=612 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442266693.339:529): avc:  denied  { write } for  pid=612 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442266693.386:542): avc:  denied  { sendto } for  pid=612 comm="login" path="/dev/log" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1442266710.228:530): avc:  denied  { rlimitinh } for  pid=612 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1442266710.228:530): avc:  denied  { siginh } for  pid=612 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1442266710.228:530): avc:  denied  { noatsecure } for  pid=612 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1442266710.248:531): avc:  denied  { rlimitinh } for  pid=1235 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1442266710.248:531): avc:  denied  { siginh } for  pid=1235 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1442266710.248:531): avc:  denied  { noatsecure } for  pid=1235 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1442266713.967:539): avc:  denied  { write } for  pid=612 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442266713.967:539): avc:  denied  { link } for  pid=612 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442266713.976:540): avc:  denied  { sendto } for  pid=612 comm="login" path="/dev/log" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1442266713.982:544): avc:  denied  { rlimitinh } for  pid=1239 comm="bash" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=process
type=AVC msg=audit(1442266713.982:544): avc:  denied  { siginh } for  pid=1239 comm="bash" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=process
type=AVC msg=audit(1442266713.982:544): avc:  denied  { noatsecure } for  pid=1239 comm="bash" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=process
type=AVC msg=audit(1442326780.823:877): avc:  denied  { search } for  pid=612 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442326780.823:877): avc:  denied  { write } for  pid=612 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442326780.825:878): avc:  denied  { sendto } for  pid=612 comm="login" path="/dev/log" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1442327053.558:535): avc:  denied  { rlimitinh } for  pid=615 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1442327053.558:535): avc:  denied  { siginh } for  pid=615 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1442327053.558:535): avc:  denied  { noatsecure } for  pid=615 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1442327053.580:536): avc:  denied  { rlimitinh } for  pid=1236 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1442327053.580:536): avc:  denied  { siginh } for  pid=1236 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1442327053.580:536): avc:  denied  { noatsecure } for  pid=1236 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1442327057.049:544): avc:  denied  { write } for  pid=615 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442327057.049:544): avc:  denied  { link } for  pid=615 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442327057.056:545): avc:  denied  { sendto } for  pid=615 comm="login" path="/dev/log" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1442327057.064:549): avc:  denied  { rlimitinh } for  pid=1240 comm="bash" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=process
type=AVC msg=audit(1442327057.064:549): avc:  denied  { siginh } for  pid=1240 comm="bash" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=process
type=AVC msg=audit(1442327057.064:549): avc:  denied  { noatsecure } for  pid=1240 comm="bash" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=process
type=AVC msg=audit(1442327109.816:641): avc:  denied  { search } for  pid=615 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442327109.816:641): avc:  denied  { write } for  pid=615 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442327109.862:654): avc:  denied  { sendto } for  pid=615 comm="login" path="/dev/log" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1442327259.833:531): avc:  denied  { rlimitinh } for  pid=620 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1442327259.833:531): avc:  denied  { siginh } for  pid=620 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1442327259.833:531): avc:  denied  { noatsecure } for  pid=620 comm="login" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1442327259.854:532): avc:  denied  { rlimitinh } for  pid=1238 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1442327259.854:532): avc:  denied  { siginh } for  pid=1238 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1442327259.854:532): avc:  denied  { noatsecure } for  pid=1238 comm="unix_chkpwd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1442327263.019:540): avc:  denied  { write } for  pid=620 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442327263.019:540): avc:  denied  { link } for  pid=620 comm="login" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=key
type=AVC msg=audit(1442327263.025:541): avc:  denied  { sendto } for  pid=620 comm="login" path="/dev/log" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
type=AVC msg=audit(1442327263.035:545): avc:  denied  { rlimitinh } for  pid=1242 comm="bash" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=process
type=AVC msg=audit(1442327263.035:545): avc:  denied  { siginh } for  pid=1242 comm="bash" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=process
type=AVC msg=audit(1442327263.035:545): avc:  denied  { noatsecure } for  pid=1242 comm="bash" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=toor_u:staff_r:staff_t:s0 tclass=process

#============= local_login_t ==============
allow local_login_t chkpwd_t:process { siginh rlimitinh noatsecure };
allow local_login_t kernel_t:unix_dgram_socket sendto;
allow local_login_t staff_t:key { write search link };
allow local_login_t staff_t:process { siginh rlimitinh noatsecure };

The process-related denials can likely be ignored, leaving the following:

allow local_login_t kernel_t:unix_dgram_socket sendto;

Logging-related, though /dev/log should have devlog_t as a label, as opposed to kernel_t. This may just be a timing issue.

and

allow local_login_t staff_t:key { write search link };

Password-related?

As it stands, logins work, so I'm not really sure that these denials are a priority. Perhaps we should add this ticket to the watchlist?

ghost · 2015-10-06T15:21:26Z

@mpalmi can you please update this what else needs to be done before we can close out the issue? Was this finished when we released Beta?

minapoli · 2016-01-13T18:31:07Z

We need to make sure that this is complete

minapoli · 2016-02-01T17:58:48Z

The following allow rules are still missing although /dev/log is labeled devlog_t after boot (not kernel_t) and logins work as-is.
allow local_login_t kernel_t:unix_dgram_socket sendto;
allow local_login_t staff_t:key { write search link };

We can revisit this in future

mpalmi added selinux Medium Priority medium-task labels Apr 24, 2015

mpalmi added this to the RHEL_7-Alpha3 milestone Apr 24, 2015

This was referenced Apr 24, 2015

Resolve staff_t denials #133

Closed

Get CLIP RHEL7 Booting in Enforcing #86

Closed

mpalmi added a commit to mpalmi/clip that referenced this issue Jun 4, 2015

Issue OwlCyberDefense#131 - Add update_passwd policy to auth_use_pam

427b2eb

- Needed after a `chage -d 0 $USERNAME`

mpalmi added a commit to mpalmi/clip that referenced this issue Jun 4, 2015

Issue OwlCyberDefense#131 - Add update_passwd policy to auth_use_pam

7f49776

- Needed after a `chage -d 0 $USERNAME`

mpalmi modified the milestones: RHEL_7-Beta, RHEL_7-Alpha3 Jun 4, 2015

mpalmi assigned ghost Jul 23, 2015

ghost modified the milestones: RHEL_7_Final, RHEL_7-Beta Sep 15, 2015

ghost added Low Priority and removed Medium Priority labels Sep 15, 2015

minapoli added short-task and removed medium-task labels Jan 13, 2016

minapoli assigned minapoli and unassigned ghost Jan 13, 2016

minapoli added the Medium Priority label Jan 15, 2016

minapoli modified the milestones: Future, RHEL_7_Final Feb 1, 2016

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Resolve local_login_t denials #131

Resolve local_login_t denials #131

mpalmi commented Apr 24, 2015

mpalmi commented Jun 4, 2015

ghost commented Sep 9, 2015

ghost commented Sep 15, 2015

mpalmi commented Sep 15, 2015

ghost commented Oct 6, 2015

minapoli commented Jan 13, 2016

minapoli commented Feb 1, 2016

Resolve local_login_t denials #131

Resolve local_login_t denials #131

Comments

mpalmi commented Apr 24, 2015

mpalmi commented Jun 4, 2015

ghost commented Sep 9, 2015

ghost commented Sep 15, 2015

mpalmi commented Sep 15, 2015

ghost commented Oct 6, 2015

minapoli commented Jan 13, 2016

minapoli commented Feb 1, 2016