Java Mailing List Archive

http://www.redhatconfig.com/

Home » Red Hat Enterprise Linux 5 »

[rhelv5-list] SELinux and sharing /etc/shadow...

Scott Bambrough

2008-01-25

Replies:

Author LoginPost Reply
We are working on a management tool that attempts to setup
mod-auth-shadow to work on RedHat 5.1 with SELinux in enforcing mode.

Based on the following excerpt from the httpd_selinux man page:

"If you want to share files with multiple domains (Apache, FTP, rsync,
Samba), you can set a file context of public_content_t and
public_content_rw_t. These context allow any of the above domains to
read the content.  If you want a particular domain to write to the
public_content_rw_t domain, you must set the appropriate boolean.
allow_DOMAIN_anon_write. So for httpd you would execute:

setsebool -P allow_httpd_anon_write=1
    or
setsebool -P allow_httpd_sys_script_anon_write=1"

we have set the file context of /etc/shadow to public_content_t. The
file permissions remain unchanged, only root can read the file.

[root@(protected)
-r-------- root root root:object_r:public_content_t  /etc/shadow

This almost works correctly:
1) mod-auth-shadow works correctly
2) can manage users via command line tools (useradd/usermod/userdel etc.)
3) system-config-users can manage users
4) my management tool can manage users

I have some problems with this setup however:

1) I'm not sure of all the implications of changing the file context of
/etc/shadow to public_content_t. Basically I'm getting confused as to
how someone or some process gets write permissions to the file.

2) An rpm that attempts to add a user in a pre/post install script fails
to add the user.  useradd is denied write access to /etc/shadow.

3) I get a lot of the following SELinux alerts:

  SELinux is preventing /sbin/unix_update (updpwd_t) "read" to shadow
(public_content_t).

4) I also suspect the following scenario will fail, but I haven't
verified it yet:

a) install an rpm that adds a user
b) set the file context file context of /etc/shadow to public_content_t
c) remove the previously installed rpm,

I suspect a userdel in a postun script will fail with a write denial for
/etc/shadow.

Do I have to set the file context of /etc/shadow to public_content_rw_t,
and set a boolean to allow anonymous writes? There doesn't seem to be
any such boolean for rpm.

Scott






_______________________________________________
rhelv5-list mailing list
rhelv5-list@(protected)
https://www.redhat.com/mailman/listinfo/rhelv5-list
©2008 redhatconfig.com - Jax Systems, LLC, U.S.A.