User: Password:
Subscribe / Log in / New account

Shadow hardening

Shadow hardening

Posted Mar 22, 2012 16:45 UTC (Thu) by dpquigl (guest, #52852)
Parent article: Shadow hardening

To clarify something. I don't see anything in the description here that makes hardened-shadow incompatible with SELinux. What I think the author is trying to say here is that he hasn't done the policy leg work to get it working with SELinux. He is welcome to come to the SELinux mailing list or the refpolicy mailing list and talk about creating a policy for hardened-shadow with us. Also without some policy changes I can see tcp potentially running into the same problem.

(Log in to post comments)

Shadow hardening

Posted Mar 22, 2012 17:08 UTC (Thu) by jake (editor, #205) [Link]

> I don't see anything in the description here that makes hardened-shadow
> incompatible with SELinux.

Maybe I misunderstood, but I thought the problem wasn't so much policy as it was getting the tcb/hardened-shadows changes working with pam_selinux (or the SELinux changes working with the PAM modules for the others).


Shadow hardening

Posted Mar 22, 2012 22:08 UTC (Thu) by dpquigl (guest, #52852) [Link]

Are they completely getting rid of /etc/passwd? I don't believe pam_selinux actually looks at the shadow file at all. I believe it takes the user name and figures out the SELinux user from that and chooses the login context properly. I don't see how breaking out shadow would change that. I'll take a look into it. I haven't looked at how either of the projects work yet but my first concern would be that the shadow files just aren't label properly. Any links to the actual projects so I can check them out when I get home?

Shadow hardening

Posted Mar 22, 2012 22:12 UTC (Thu) by dpquigl (guest, #52852) [Link]

Bleh wish I had that edit key. I meant to ask if there are examples of getting this going on Fedora or something like that. That would probably be the best place to test SELinux integration.

Shadow hardening

Posted Mar 23, 2012 9:26 UTC (Fri) by phajdan.jr (subscriber, #83686) [Link]

Thank you for commenting about that. It's not really an incompatibility (and that has nothing to do with pam_selinux), but yeah there are at least two problems here:

1. The policies would need an update. It's not obvious to me how to do that though, since program names are the same as with shadow-utils, e.g. passwd and so on.

2. The code of hardened-shadow needs to be SELinux aware, e.g. to properly set SELinux context for files when replacing them (as far as I understand it).

I'm not sure if I'll find time to do the above myself, but patches to do #2 are welcome, and I can answer any questions to make creation/update of the policy easier.

People interested in the above are welcome to post on the project mailing lists listed on

Shadow hardening

Posted Mar 23, 2012 13:09 UTC (Fri) by dpquigl (guest, #52852) [Link]

I'd recommend joining the SELinux mailing list at I'm sure you will find people to help with both 1 and 2. I'm not sure of shadow utils is currently SELinux aware or not. It might be because there was no way of writing different type transition rules for two files in the same directory created by the same process. Eric Paris I believe fixed this by making type transitions optionally take a name as their last component. In newer versions of SELinux we should be able to use that to do all this work in policy. I also think that even that might not be needed. If I understand things properly this stores the new shadow information under its own directory right? We can label that parent directory properly and any directories under it and files created under those should have the right contexts.

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds