Bug 1956302 - Confined sysadm users cannot read the content of /etc/shadow, even when using getent
Summary: Confined sysadm users cannot read the content of /etc/shadow, even when using...
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Zdenek Pytela
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-05-03 12:44 UTC by Renaud Métrich
Modified: 2021-05-04 14:08 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 6012421 0 None None None 2021-05-03 13:24:07 UTC

Description Renaud Métrich 2021-05-03 12:44:07 UTC
Description of problem:

With the current policy, sysadm_t users cannot read the content of /etc/shadow after sudoing: nothing is returned and no AVC pops up (because there is a dontaudit rule):

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
$ id -Z
sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023

$ sudo getent shadow
--> empty
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Note that using **sudo -r sysadm_r** doesn't help either here (which is the usual workaround for BZ #1943572):

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
$ sudo -r sysadm_r getent shadow
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This is because **sysadm_t** (the context of getent since it's labeled with bin_t) has no rule for that in the policy (there is only a dontaudit rule to hide the AVC):

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# sesearch --dontaudit -s sysadm_t -t shadow_t -c file -p read
dontaudit sysadm_t shadow_t:file { getattr ioctl lock open read };

# sesearch --allow -s sysadm_t -t shadow_t -c file -p read
--> nothing
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Does that make sense to allow sysadm_t to do this???
YES because sysadm_t can already **edit** the file using **/usr/sbin/vipw** (so can actually do more ...).


Version-Release number of selected component (if applicable):

RHEL7 and RHEL8 policies


How reproducible:

Always, see above.

Additional info:

My recommendation is to add the following rule:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
auth_read_shadow(sysadm_t)
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Note that because of BZ #1943572, this won't solve the issue for **sudo getent shadow**, only for **sudo -r sysadm_r getent shadow**.
I would hence recommend that RFE BZ #1910077 gets implemented ASAP.


Note You need to log in before you can comment on or make changes to this bug.