mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 01:57:43 +00:00
Code Issues Releases Wiki Activity

Merge usr.bin.passwd profile fixes

Browse Source 
* passwd -e LOGIN was failing
* Allow execution of /usr/sbin/nscd
  See: bee77ffc29/lib/nscd.c (L23-L27)
* Allow pam_passwdqc to read /etc/passwdqc.conf and passwdqc filter
  files (see https://www.openwall.com/passwdqc/)
* Allow setuid & fsetid capabilities
* Allow locking with /etc/shadow.PID & /etc/shadow.lock
* Allow shadow backup /etc/shadow- and whatever /etc/shadow+ is used for

Example failures:

```
type=AVC msg=audit(1740926750.381:99876): apparmor="DENIED" operation="capable" profile="/usr/bin/passwd" pid=16139 comm="passwd" capability=4  capname="fsetid"
type=AVC msg=audit(1740926025.892:99797): apparmor="DENIED" operation="capable" profile="/usr/bin/passwd" pid=14443 comm="passwd" capability=7  capname="setuid"
type=AVC msg=audit(1740926673.852:99871): apparmor="DENIED" operation="link" profile="/usr/bin/passwd" name="/etc/shadow.lock" pid=15961 comm="passwd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 target="/etc/shadow.15961"FSUID="root" OUID="root"
type=AVC msg=audit(1740926025.892:99798): apparmor="DENIED" operation="mknod" profile="/usr/bin/passwd" name="/etc/shadow.14443" pid=14443 comm="passwd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0FSUID="root" OUID="root"
type=AVC msg=audit(1740926502.637:99859): apparmor="DENIED" operation="open" profile="/usr/bin/passwd" name="/etc/shadow-" pid=15555 comm="passwd" requested_mask="wc" denied_mask="wc" fsuid=0 ouid=0FSUID="root" OUID="root"
type=AVC msg=audit(1740926820.608:99882): apparmor="DENIED" operation="rename_src" profile="/usr/bin/passwd" name="/etc/shadow+" pid=16275 comm="passwd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root"
```

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1566
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>
This commit is contained in:
John Johansen 2025-04-04 21:49:15 +00:00
commit 0d6e447d24
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
profiles/apparmor/profiles/extras/usr.bin.passwd
View File

@ -22,6 +22,8 @@ include <tunables/global>
capability chown,
capability sys_resource,
capability setuid,
capability fsetid,
/etc/.pwd.lock wk,
/etc/pwdutils/logging r,
@ -29,6 +31,10 @@ include <tunables/global>
/etc/shadow rwl,
/etc/shadow.old rwl,
/etc/shadow.tmp?????? rwl,
/etc/shadow.[0-9]* rwl,
/etc/shadow.lock rwl,
/etc/shadow- rw,
/etc/shadow+ rw,
@{PROC}/@{pid}/loginuid r,
@ -38,6 +44,9 @@ include <tunables/global>
/usr/share/cracklib/pw_dict.hwm r,
/usr/share/cracklib/pw_dict.pwd r,
/usr/share/cracklib/pw_dict.pwi r,
/etc/passwdqc.conf r,
/opt/passwdqc/*.pwq r,
/usr/sbin/nscd Px,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.bin.passwd>