danwalsh (danwalsh) wrote,

I followed all the rules and built policy with audit2allow and the semodule command blows up; :^(

This blog entry was prompted by a conversation I had with  "iv" on the Fedora-SElinux chat room

He was trying to write policy that allowed sshd to read /etc/shadow.

He followed my instructions from previous blogs but ended up getting a compiler error.

libsepol.check_assertion_helper: assertion on line 0 violated by allow sshd_t shadow_t:file {read } and Expand module failed

The problem was that he needed to satisfy an SELinux constraint.

One of the parts of the SELinux policy language is the ability to define constraints.

Constraints are defined using the neverallow command.  Constraints are used to prevent people from writing bad policy, or in the case of MLS, to enforce  rules governing information flow.

In targeted policy we have a rule

neverallow ~can_read_shadow_passwords shadow_t:file read;

This command says DON'T allow policy to be compiled which would allow a process type to read files labeled shadow_t, unless that process type also has the attribute "can_read_shadow_passwords";

So "iv" wrote a rule in his policy module that said

allow sshd_t shadow_t:file r_file_perms;

And when the compiler tried to compile this, it conflicted with the constraint and blew up.

"iv" has a couple of things he could do to allow this.

He could change his code to add the can_read_shadow_passwords attribute;

require {
    attribute can_read_shadow_passwords;

type sshd_t;
typeattribute sshd_t can_read_shadow_passwords;

allow sshd_t shadow_t:file r_file_perms;

Or he could use the auth_read_shadow interface

allow sshd_t shadow_t:file r_file_perms;

Or the best solution, just say no to allowing sshd to read the shadow password.  :^)

sshd currently uses PAM to check passwords.  One of the PAM modules that sshd uses is pam_unix. This module first tries to read /etc/shadow directly.  If it gets permission denied it executes /sbin/unix_chkpwd. unix_chkpwd accepts the user name and password and indicates to pam_unix whether the password matches the username.

unix_chkpwd is hundreds of lines of code, versus the thousands of lines of code in sshd.  So it is considered a lot easier to verify the security of unix_chkpwd.  Targeted policy only allows the unix_chkpwd (chkpwd_t) and unix_update (updpwd_t)  programs to read /etc/shadow.  Targeted policy has been written for confined programs that link to PAM to allow them to  transition to  the chkpwd_t and the updpwd_t domains when they execute the helper programs.

Now if a remote exploit of sshd were to be found which allowed crackers to read files remotely via sshd, or worse write them,  SELinux would prevent sshd_t from reading the /etc/shadow file and most other important files on the system.
  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened