Allow greeter to update password

[dsugar100]

Greeter prompted for password change due to forced password reset or expired

node=localhost type=AVC msg=audit(1689808000.944:499): avc: denied { write } for pid=2421 comm="lightdm" name="etc" dev="dm-1" ino=262146 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1689808000.944:499): avc: denied { add_name } for pid=2421 comm="lightdm" name=".pwd.lock" scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1689808000.944:499): avc: denied { create } for pid=2421 comm="lightdm" name=".pwd.lock" scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689808001.119:504): avc: denied { remove_name } for pid=2421 comm="lightdm" name="nshadow" dev="dm-1" ino=263052 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1689808001.112:502): avc: denied { create } for pid=2421 comm="lightdm" name="nshadow" scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689808001.112:502): avc: denied { write } for pid=2421 comm="lightdm" path="/etc/nshadow" dev="dm-1" ino=263052 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689808001.113:503): avc: denied { setattr } for pid=2421 comm="lightdm" name="nshadow" dev="dm-1" ino=263052 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689808001.119:504): avc: denied { rename } for pid=2421 comm="lightdm" name="nshadow" dev="dm-1" ino=263052 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689808001.119:504): avc: denied { unlink } for pid=2421 comm="lightdm" name="shadow" dev="dm-1" ino=263022 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=1

[pebenito]

I think this should be conditional, since this is direct shadow passwd access.

[dsugar100]

While I agree it sounds like a good idea, when including 'auth_manage_shadow' in a tunable_policy block, I'm getting an error due to this in the interface:
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;

The error I'm seeing:
policy/modules/services/xserver.te:531:ERROR 'syntax error' at token 'typeattribute' on line 2117882:
typeattribute xdm_t can_read_shadow_passwords, can_write_shadow_passwords;
#line 531

Unless I misunderstood what you are asking for?

[pebenito]

You'd need to add an interface akin to https://github.com/SELinuxProject/refpolicy/blob/f3f761c4a868e5c662419dd7fe501d0feaf7f990/policy/modules/kernel/storage.if#L129C1-L141C3

[dsugar100]

Finally getting back to this. And I think that this is the wrong change to be made. But, what I'm seeing is a side effect of the changes made in #631 to label /etc/security/opasswd as shadow_t. While I think that etc_t is the wrong type for /etc/security/opasswd (because it contains passwords) I'm discovering that shadow_t might not be the best. pam_unix is SELinux aware and does stuff differently when it can't read /etc/shadow (by launching the helper to make the updates) but pam_pwhistory isn't so aware and checks /etc/security/opasswd in the context of the program changing the password. So, xdm_t (and local_login_t) need to be able to read /etc/security/opasswd, but labeling it shadow_t causes problems. I'm looking at labeling /etc/security/opasswd with a new type (shadow_history_t).

[dsugar100]

Closing this in favor of #674 which fixes issues I introduced with #631