diff mbox series

[meta-selinux,whinlatter] refpolicy: locallogin - allow local_login_t lastlog_t create,delete

Message ID 1f404d2a-dfb4-4d42-936c-0877fdd58ee1@gmail.com
State New
Headers show
Series [meta-selinux,whinlatter] refpolicy: locallogin - allow local_login_t lastlog_t create,delete | expand

Commit Message

Clayton Casciato March 23, 2026, 2:49 p.m. UTC 
Signed-off-by: Clayton Casciato <majortomtosourecontrol@gmail.com>
---
 ...ystem-locallogin-allow-local_login_t.patch | 149 ++++++++++++++++++
 .../refpolicy/refpolicy_common.inc            |   1 +
 2 files changed, 150 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy/0061-policy-modules-system-locallogin-allow-local_login_t.patch
diff mbox series

Patch

diff --git a/recipes-security/refpolicy/refpolicy/0061-policy-modules-system-locallogin-allow-local_login_t.patch b/recipes-security/refpolicy/refpolicy/0061-policy-modules-system-locallogin-allow-local_login_t.patch
new file mode 100644
index 0000000..d5a63bb
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0061-policy-modules-system-locallogin-allow-local_login_t.patch
@@ -0,0 +1,149 @@ 
+From 9cee0ec6ec9bb0af826f0f2af88e36159429e1e7 Mon Sep 17 00:00:00 2001
+From: Clayton Casciato <ccasciato@21sw.us>
+Date: Thu, 15 Jan 2026 16:27:43 -0700
+Subject: [PATCH] locallogin: allow local_login_t lastlog_t create,delete
+
+Note that the { read } AVC denial was not addressed.
+
+It is currently unknown what specifically triggers this and Fedora
+policy does not appear to allow this.
+
+--
+
+Fedora:
+
+https://github.com/fedora-selinux/selinux-policy/commit/fe29879463b7176dab24c0a9210131fa6e7cd130
+"Allow systemd (PID 1) create lastlog entries"
+
+--
+
+pam_lastlog2(login:session): Cannot open database
+(/var/lib/lastlog/lastlog2.db): unable to open database file
+
+PROCTITLE proctitle=2F62696E2F6C6F67696E002D70002D2D00726F6F74
+
+AVC avc:  denied  { getattr } for  pid=244 comm="login"
+path="/var/lib/lastlog" dev="vda" ino=32776
+scontext=system_u:system_r:local_login_t:s0
+tcontext=system_u:object_r:lastlog_t:s0 tclass=dir permissive=1
+
+SYSCALL arch=c00000b7 syscall=79 success=yes exit=0 a0=ffffffffffffff9c
+a1=55557ab4db98 a2=7ffff6dd39c0 a3=100 items=0 ppid=1 pid=244
+auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
+tty=ttyAMA0 ses=4294967295 comm="login" exe="/usr/bin/login.shadow"
+subj=system_u:system_r:local_login_t:s0 key=(null)
+
+--
+
+PROCTITLE proctitle=2F62696E2F6C6F67696E002D70002D2D00726F6F74
+
+AVC avc:  denied  { search } for  pid=244 comm="login" name="lastlog"
+dev="vda" ino=32776 scontext=system_u:system_r:local_login_t:s0
+tcontext=system_u:object_r:lastlog_t:s0 tclass=dir permissive=1
+
+SYSCALL arch=c00000b7 syscall=79 success=no exit=-2 a0=ffffffffffffff9c
+a1=55557ab4db98 a2=7ffff6dd39c0 a3=100 items=0 ppid=1 pid=244
+auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
+tty=ttyAMA0 ses=4294967295 comm="login" exe="/usr/bin/login.shadow"
+subj=system_u:system_r:local_login_t:s0 key=(null)
+
+--
+
+PROCTITLE proctitle=2F62696E2F6C6F67696E002D70002D2D00726F6F74
+
+AVC avc:  denied  { write } for  pid=244 comm="login" name="lastlog"
+dev="vda" ino=32776 scontext=system_u:system_r:local_login_t:s0
+tcontext=system_u:object_r:lastlog_t:s0 tclass=dir permissive=1
+
+AVC avc:  denied  { add_name } for  pid=244 comm="login"
+name="lastlog2.db" scontext=system_u:system_r:local_login_t:s0
+tcontext=system_u:object_r:lastlog_t:s0 tclass=dir permissive=1
+
+AVC avc:  denied  { create } for  pid=244 comm="login"
+name="lastlog2.db" scontext=system_u:system_r:local_login_t:s0
+tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
+
+SYSCALL arch=c00000b7 syscall=56 success=yes exit=4 a0=ffffffffffffff9c
+a1=55557ab4e2b4 a2=88042 a3=1a4 items=4 ppid=1 pid=244 auid=4294967295
+uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyAMA0
+ses=4294967295 comm="login" exe="/usr/bin/login.shadow"
+subj=system_u:system_r:local_login_t:s0 key=(null)
+
+CWD cwd="/"
+
+PATH item=0 name=(null) inode=32776 dev=fe:00 mode=040755 ouid=0 ogid=0
+rdev=00:00 obj=system_u:object_r:lastlog_t:s0 nametype=PARENT cap_fp=0
+cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
+
+PATH item=1 name=(null) nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0
+cap_fver=0 cap_frootid=0
+
+PATH item=2 name=(null) inode=32776 dev=fe:00 mode=040755 ouid=0 ogid=0
+rdev=00:00 obj=system_u:object_r:lastlog_t:s0 nametype=PARENT cap_fp=0
+cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
+
+PATH item=3 name=(null) inode=32867 dev=fe:00 mode=0100644 ouid=0 ogid=0
+rdev=00:00 obj=system_u:object_r:lastlog_t:s0 nametype=CREATE cap_fp=0
+cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
+
+--
+
+PROCTITLE proctitle=2F62696E2F6C6F67696E002D70002D2D00726F6F74
+
+AVC avc:  denied  { read } for  pid=244 comm="login" name="lastlog"
+dev="vda" ino=32776 scontext=system_u:system_r:local_login_t:s0
+tcontext=system_u:object_r:lastlog_t:s0 tclass=dir permissive=1
+
+AVC avc:  denied  { open } for  pid=244 comm="login"
+path="/var/lib/lastlog" dev="vda" ino=32776
+scontext=system_u:system_r:local_login_t:s0
+tcontext=system_u:object_r:lastlog_t:s0 tclass=dir permissive=1
+
+SYSCALL arch=c00000b7 syscall=56 success=yes exit=6 a0=ffffffffffffff9c
+a1=7ffff6dd5740 a2=80000 a3=0 items=0 ppid=1 pid=244 auid=4294967295
+uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyAMA0
+ses=4294967295 comm="login" exe="/usr/bin/login.shadow"
+subj=system_u:system_r:local_login_t:s0 key=(null)
+
+--
+
+PROCTITLE proctitle=2F62696E2F6C6F67696E002D70002D2D00726F6F74
+
+AVC avc:  denied  { remove_name } for  pid=244 comm="login"
+name="lastlog2.db-journal" dev="vda" ino=32868
+scontext=system_u:system_r:local_login_t:s0
+tcontext=system_u:object_r:lastlog_t:s0 tclass=dir permissive=1
+
+AVC avc:  denied  { unlink } for  pid=244 comm="login"
+name="lastlog2.db-journal" dev="vda" ino=32868
+scontext=system_u:system_r:local_login_t:s0
+tcontext=system_u:object_r:lastlog_t:s0 tclass=file permissive=1
+
+SYSCALL arch=c00000b7 syscall=35 success=yes exit=0 a0=ffffffffffffff9c
+a1=55557ab4e2d2 a2=0 a3=7fff4a1abb68 items=0 ppid=1 pid=244
+auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
+tty=ttyAMA0 ses=4294967295 comm="login" exe="/usr/bin/login.shadow"
+subj=system_u:system_r:local_login_t:s0 key=(null)
+
+Signed-off-by: Clayton Casciato <ccasciato@21sw.us>
+
+Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/commit/93a6a53391f13d13a1d7e84872ccc227b5c550ec]
+
+Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
+---
+ policy/modules/system/locallogin.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+index 75ee52efd..5840ad5a9 100644
+--- a/policy/modules/system/locallogin.te
++++ b/policy/modules/system/locallogin.te
+@@ -122,6 +122,8 @@ term_relabel_all_ttys(local_login_t)
+ term_setattr_all_ttys(local_login_t)
+ term_setattr_unallocated_ttys(local_login_t)
+ 
++auth_create_lastlog(local_login_t)
++auth_delete_lastlog(local_login_t)
+ auth_rw_login_records(local_login_t)
+ auth_rw_faillog(local_login_t)
+ auth_manage_pam_runtime_dirs(local_login_t)
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index b69cc31..3af37c5 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -76,6 +76,7 @@  SRC_URI += " \
         file://0058-policy-modules-system-logging-allow-miscfiles_read_g.patch \
         file://0059-policy-modules-system-authlogin-label-var_lib_lastlo.patch \
         file://0060-policy-modules-system-authlogin-add-auth_create_last.patch \
+        file://0061-policy-modules-system-locallogin-allow-local_login_t.patch \
         "
 
 S = "${UNPACKDIR}/refpolicy"