Skip to content

file_contexts: make /usr/share/pam equivalent to /etc#1125

Open
0xC0ncord wants to merge 1 commit into
SELinuxProject:mainfrom
0xC0ncord:fix/pam-contexts
Open

file_contexts: make /usr/share/pam equivalent to /etc#1125
0xC0ncord wants to merge 1 commit into
SELinuxProject:mainfrom
0xC0ncord:fix/pam-contexts

Conversation

@0xC0ncord
Copy link
Copy Markdown
Contributor

@0xC0ncord 0xC0ncord commented May 17, 2026

PAM 1.7.2 makes the vendordir build option the default. This puts PAM's config files in /usr/share/pam rather than /etc. Unfortunately this makes the default file contexts for these files usr_t which breaks many things.

Fix this by adding a file equivalence rule for /usr/share/pam.

Bug: https://bugs.gentoo.org/973082
Closes: #1123

@0xC0ncord
file_contexts: make /usr/share/pam equivalent to /etc
35fa8d3 
PAM 1.7.2 makes the vendordir build option the default. This puts PAM's
config files in /usr/share/pam rather than /etc. Unfortunately this
makes the default file contexts for these files usr_t which breaks many
things.

Fix this by adding a file equivalence rule for /usr/share/pam.

Bug: https://bugs.gentoo.org/973082
Closes: SELinuxProject#1123
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
@thesamesam thesamesam mentioned this pull request May 18, 2026
Open
@pebenito
Copy link
Copy Markdown
Member

pebenito commented May 18, 2026

Actually, I think we want #1123 instead. My understanding is the vendordir stuff is supposed to be the defaults, and if you want to change an option, then you place the modified configuration file in /etc. In that scenario, we would want /usr/share/pam to be read-only except to only to the package manager and sysadm.

@thesamesam
Copy link
Copy Markdown
Contributor

thesamesam commented May 18, 2026

My understanding is the vendordir stuff is supposed to be the defaults, and if you want to change an option, then you place the modified configuration file in /etc. In that scenario, we would want /usr/share/pam to be read-only except to only to the package manager and sysadm.

Yeah, that's right. More projects are moving to that because libeconf makes it easy to do so.

@0xC0ncord
Copy link
Copy Markdown
Contributor Author

0xC0ncord commented May 19, 2026

Actually, I think we want #1123 instead. My understanding is the vendordir stuff is supposed to be the defaults, and if you want to change an option, then you place the modified configuration file in /etc. In that scenario, we would want /usr/share/pam to be read-only except to only to the package manager and sysadm.

How should this apply for pam_namespace? In my testing, PAM tries to execute /usr/share/pam/security/namespace.init if /etc/security/namespace.init doesn't exist so this should be at least bin_t there too, unless a new type is deemed appropriate.

@pebenito
Copy link
Copy Markdown
Member

pebenito commented May 19, 2026

Yes, that sounds right.

thesamesam added a commit to thesamesam/refpolicy that referenced this pull request May 27, 2026
@thesamesam
authlogin: label /usr/share/pam/security/namespace.init as bin_t
b7b6259 
Per SELinuxProject#1125 (comment),
pam_namespace tries /etc/security/namespace.init then /usr/share/pam/security/namespace.init,
so it needs to be bin_t.

Signed-off-by: Sam James <sam@gentoo.org>
@thesamesam
Copy link
Copy Markdown
Contributor

thesamesam commented May 27, 2026

I've reopened #1123 and added the label there. I don't use pam_namespace so I can't test that easily.

thesamesam added a commit to thesamesam/refpolicy that referenced this pull request May 27, 2026
@thesamesam
authlogin: label /usr/share/pam/security/namespace.init as bin_t
ca8ab9d 
Per SELinuxProject#1125 (comment),
pam_namespace tries /etc/security/namespace.init then /usr/share/pam/security/namespace.init,
so it needs to be bin_t.

Signed-off-by: Sam James <sam@gentoo.org>
thesamesam added a commit to thesamesam/refpolicy that referenced this pull request May 27, 2026
@thesamesam
authlogin: allow pam_domain to read /usr/share/pam
6aeb605 
.. by allowing /usr overall. pam installs these configuration files there
as its `vendordir`. It also does this since aea30822e2fa6f87faf2541da140f69dfdfee728.

(I think that commit message isn't quite right: it seems to do this regardless
of libeconf support.)

This comes from auth_use_pam which sudo and su use:
```
AVC avc:  denied  { getattr } for  pid=239941 comm="su" path="/usr/share/pam/security/faillock.conf" dev="dm-0" ino=3227904748
scontext=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0
tclass=file

AVC avc:  denied  { read } for  pid=239938 comm="sudo" name="pam_env.conf" dev="dm-0" ino=3227906195
scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0
tclass=file
```

This is a followup to 169f725.

Bug: https://bugs.gentoo.org/973082
See-also: SELinuxProject#1125
Signed-off-by: Sam James <sam@gentoo.org>
thesamesam added a commit to thesamesam/refpolicy that referenced this pull request May 27, 2026
@thesamesam
authlogin: label /usr/share/pam/security/namespace.init as bin_t
7801558 
Per SELinuxProject#1125 (comment),
pam_namespace tries /etc/security/namespace.init then /usr/share/pam/security/namespace.init,
so it needs to be bin_t.

Closes: SELinuxProject#1125
Signed-off-by: Sam James <sam@gentoo.org>
thesamesam added a commit to thesamesam/refpolicy that referenced this pull request May 27, 2026
@thesamesam
corecommands: label /usr/share/pam/security/namespace.init as bin_t
2cc5c82 
Per SELinuxProject#1125 (comment),
pam_namespace tries /etc/security/namespace.init then /usr/share/pam/security/namespace.init,
so it needs to be bin_t.

Closes: SELinuxProject#1125
Signed-off-by: Sam James <sam@gentoo.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@0xC0ncord @pebenito @thesamesam