Rework shadow transitions and access

aerusso · aerusso · commit 2e1dc55e243b · 2026-01-12T20:45:17.000-07:00
shadow access is tightly controlled, with separate types for the shadow
files and the locks.  This patch distinguishes the two by enumerating
the backup filenames and lock file names in their associated file
transition rules.

Prior to this, the overbroad file transition rules would cause various
shadow-manipulating tools to create lock files with the incorrect
shadow_t label.

Signed-off-by: Antonio Enrico Russo &lt;aerusso@aerusso.net&gt;
diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
@@ -286,7 +286,7 @@ term_use_all_terms(dpkg_script_t)
 
 files_manage_non_auth_files(dpkg_script_t)
 
-auth_etc_filetrans_shadow(dpkg_script_t, "shadow.upwd-write")
+auth_etc_filetrans_shadow(dpkg_script_t)
 auth_manage_shadow(dpkg_script_t)
 
 init_all_labeled_script_domtrans(dpkg_script_t)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
@@ -732,18 +732,22 @@ interface(`auth_manage_shadow',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	The name of the object being created.
-##	</summary>
-## </param>
 #
 interface(`auth_etc_filetrans_shadow',`
 	gen_require(`
 		type shadow_t;
 	')
 
-	files_etc_filetrans($1, shadow_t, file, $2)
+	ifelse(`$2',`',`
+		files_etc_filetrans($1, shadow_t, file, "shadow")
+		files_etc_filetrans($1, shadow_t, file, "shadow-")
+		files_etc_filetrans($1, shadow_t, file, "shadow.upwd-write")
+		files_etc_filetrans($1, shadow_t, file, "gshadow")
+		files_etc_filetrans($1, shadow_t, file, "gshadow-")
+	',`
+		refpolicywarn(`$0($*) second parameter is deprecated.')
+		files_etc_filetrans($1, shadow_t, file, $2)
+	')
 ')
 
 ########################################
@@ -863,6 +867,9 @@ interface(`auth_rw_shadow_lock',`
 	')
 
 	allow $1 shadow_lock_t:file rw_file_perms;
+	files_etc_filetrans($1, shadow_lock_t, file, ".pwd.lock")
+	files_etc_filetrans($1, shadow_lock_t, file, "passwd.lock")
+	files_etc_filetrans($1, shadow_lock_t, file, "group.lock")
 ')
 
 ########################################
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
@@ -412,6 +412,7 @@ term_dontaudit_use_console(updpwd_t)
 term_dontaudit_use_unallocated_ttys(updpwd_t)
 
 auth_manage_shadow(updpwd_t)
+auth_etc_filetrans_shadow(updpwd_t)
 auth_use_nsswitch(updpwd_t)
 
 logging_send_syslog_msg(updpwd_t)
