Stefano Brivio 5e24466677 selinux: Use auth_read_passwd() interface for all our getpwnam() needs ... If passt or pasta are started as root, we need to read the passwd file (be it /etc/passwd or whatever sssd provides) to find out UID and GID of 'nobody' so that we can switch to it. Instead of a bunch of allow rules for passwd_file_t and sssd macros, use the more convenient auth_read_passwd() interface which should cover our usage of getpwnam(). The existing rules weren't actually enough: # strace -e openat passt -f [...] Started as root, will change to nobody. openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 4 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 4 openat(AT_FDCWD, "/lib64/libnss_sss.so.2", O_RDONLY|O_CLOEXEC) = 4 openat(AT_FDCWD, "/var/lib/sss/mc/passwd", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied) openat(AT_FDCWD, "/var/lib/sss/mc/passwd", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied) openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 4 with corresponding SELinux warnings logged in audit.log. Reported-by: Minxi Hou <mhou@redhat.com> Analysed-by: Miloš Malik <mmalik@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com>		2024-11-19 21:10:14 +01:00
..
apparmor	apparmor: Allow read access to /proc/sys/net/ipv4/ip_local_port_range	2024-09-06 15:34:06 +02:00
fedora	fedora/rpkg: List myself as author for changelog entries	2024-07-26 16:40:41 +02:00
kata-containers	Don't abbreviate ip(8) arguments in examples and tests	2022-06-15 09:38:10 +02:00
selinux	selinux: Use auth_read_passwd() interface for all our getpwnam() needs	2024-11-19 21:10:14 +01:00