| Summary: | SELinux policy prevents console/gdm (local_login_t/xdm_t) from updating expired passwords | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | ross tyler <retyler> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.5 | CC: | dwalsh, ksrot, mgrepl, mmalik, retyler, ssekidde, tmraz |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-256.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-10-14 07:58:20 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Could you please attach full raw AVC msgs? ---- xdm.log, raw AVC msgs
type=AVC msg=audit(1386277488.649:2763): avc: denied { module_request } for pid=25348 comm="canberra-gtk-pl" kmod="net-pf-10" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=AVC msg=audit(1386277511.102:2814): avc: denied { write } for pid=25359 comm="gdm-session-wor" name=".pwd.lock" dev=dm-0 ino=132229 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1386277511.129:2817): avc: denied { add_name } for pid=25359 comm="gdm-session-wor" name="nopasswd" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1386277511.129:2817): avc: denied { create } for pid=25359 comm="gdm-session-wor" name="nopasswd" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1386277511.129:2817): avc: denied { write } for pid=25359 comm="gdm-session-wor" name="nopasswd" dev=dm-0 ino=153170 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1386277511.129:2818): avc: denied { setattr } for pid=25359 comm="gdm-session-wor" name="nopasswd" dev=dm-0 ino=153170 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1386277511.130:2820): avc: denied { remove_name } for pid=25359 comm="gdm-session-wor" name="nopasswd" dev=dm-0 ino=153170 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1386277511.130:2820): avc: denied { rename } for pid=25359 comm="gdm-session-wor" name="nopasswd" dev=dm-0 ino=153170 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1386277511.130:2820): avc: denied { unlink } for pid=25359 comm="gdm-session-wor" name="opasswd" dev=dm-0 ino=136472 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1386277511.131:2822): avc: denied { create } for pid=25359 comm="gdm-session-wor" name="nshadow" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1386277511.133:2823): avc: denied { setattr } for pid=25359 comm="gdm-session-wor" name="nshadow" dev=dm-0 ino=136472 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1386277511.134:2825): avc: denied { rename } for pid=25359 comm="gdm-session-wor" name="nshadow" dev=dm-0 ino=136472 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
---- login.log, raw AVC msgs
type=AVC msg=audit(1386274939.765:3165): avc: denied { write } for pid=3766 comm="login" name=".pwd.lock" dev="dm-0" ino=131657 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1386274939.789:3168): avc: denied { write } for pid=3766 comm="login" name="security" dev="dm-0" ino=135786 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1386274939.789:3168): avc: denied { add_name } for pid=3766 comm="login" name="nopasswd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1386274939.789:3168): avc: denied { create } for pid=3766 comm="login" name="nopasswd" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1386274939.789:3168): avc: denied { write } for pid=3766 comm="login" path="/etc/security/nopasswd" dev="dm-0" ino=135800 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1386274939.789:3169): avc: denied { setattr } for pid=3766 comm="login" name="nopasswd" dev="dm-0" ino=135800 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1386274940.087:3171): avc: denied { remove_name } for pid=3766 comm="login" name="nopasswd" dev="dm-0" ino=135800 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1386274940.087:3171): avc: denied { rename } for pid=3766 comm="login" name="nopasswd" dev="dm-0" ino=135800 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1386274940.087:3171): avc: denied { unlink } for pid=3766 comm="login" name="opasswd" dev="dm-0" ino=141084 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1386274940.087:3173): avc: denied { create } for pid=3766 comm="login" name="nshadow" scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1386274940.088:3174): avc: denied { setattr } for pid=3766 comm="login" name="nshadow" dev="dm-0" ino=141084 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1386274940.189:3176): avc: denied { rename } for pid=3766 comm="login" name="nshadow" dev="dm-0" ino=141084 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1386274940.189:3176): avc: denied { unlink } for pid=3766 comm="login" name="shadow" dev="dm-0" ino=156119 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:shadow_t:s0 tclass=file
Did you modify the pam stack? It is supposed to be executing a helper app rather then the login programs doing this directly. /usr/sbin/unix_update Good call. Yes, apparently, the significant change I made to password sufficient pam_unix.so lines in /etc/pam.d/*-ac files (post authconfig --updateall) was to add a remember= clause. This used to work with RHEL 6.4 but broke on 6.5. The before/after pam file content did not change between 6.4 and 6.5. However, there was a significant change in the pam-1.1.1-17.el6.x86_64 RPM. The SELinux type of /etc/security/opasswd was changed from etc_t to shadow_t. Changing this back fixes the problem but the right fix would be to move all access to opasswd to the helper (/sbin/unix_update) which already has access to SELinux shadow_t types. So, I think, this is a bug in pam_unix/unix_update. Of course, making the above SELinux policy modifications mentioned above work too but that is certainly the wrong thing to do. My diagnosis above was thwarted because the pam_unix code only uses the helper if SELinux forces it to so and by suspending SELinux (making it permissive) I made pam_unix think that it could do it without its helper. *Additional* Steps to Reproduce: 0a. Install pam-1.1.1-17.el6 0b. Add remember=1 to "password * pam_unix.so *" line in /etc/pam.d/system-auth-ac Workaround: chcon --type etc_t /etc/security/opasswd Revert: restorecon /etc/security/opasswd The remember functionality of pam_unix is deprecated in upstream PAM. I'd prefer not developing it further. The SELinux policy in RHEL-6 should not change the opasswd file to shadow_t. This should have been done only in Fedora/RHEL-7 where the replacement for remember functionality - that is the pam_pwhistory module has its own pwhistory_helper for accessing shadow_t files. (In reply to Tomas Mraz from comment #7) > The remember functionality of pam_unix is deprecated in upstream PAM. I'd > prefer not developing it further. The SELinux policy in RHEL-6 should not > change the opasswd file to shadow_t. This should have been done only in > Fedora/RHEL-7 where the replacement for remember functionality - that is the > pam_pwhistory module has its own pwhistory_helper for accessing shadow_t > files. So we should not have /etc/security/opasswd -- gen_context(system_u:object_r:shadow_t,s0) /etc/security/opasswd\.old -- gen_context(system_u:object_r:shadow_t,s0) I'd say so. These lines should not have been added to RHEL-6 policy. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1568.html |
Description of problem: SELinux policy prevents console/gdm (local_login_t/xdm_t) from updating expired passwords Version-Release number of selected component (if applicable): 3.7.19-231 How reproducible: Steps to Reproduce: 1. Expire password for a local UNIX user by changing the date of last password change field in shadow(5) to 0 and setting the maximum password age to 1. 2. Login from the serial/graphics console (using agetty/mingetty + login) or from a GDM managed desktop. 3. Enter new password Actual results: Failure Expected results: Success Additional info: Abbreviated AVC /var/log/audit/audit.log entries generated when SELinux is temporarily placed in Permissive mode. tail -f /var/log/audit/audit.log | grep AVC > $event.log setenforce 0 #! console login (login) or gdm login (xdm) event setenforce 1 #! tidy up $event.log for presentation below ---- login.log type=AVC avc: denied { write } scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:shadow_t tclass=file type=AVC avc: denied { write } scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:etc_t tclass=dir type=AVC avc: denied { add_name } scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:etc_t tclass=dir type=AVC avc: denied { create } scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:etc_t tclass=file type=AVC avc: denied { write } scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:etc_t tclass=file type=AVC avc: denied { setattr } scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:etc_t tclass=file type=AVC avc: denied { remove_name } scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:etc_t tclass=dir type=AVC avc: denied { rename } scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:etc_t tclass=file type=AVC avc: denied { unlink } scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:etc_t tclass=file type=AVC avc: denied { create } scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:shadow_t tclass=file type=AVC avc: denied { setattr } scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:shadow_t tclass=file type=AVC avc: denied { rename } scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:shadow_t tclass=file type=AVC avc: denied { unlink } scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:shadow_t tclass=file ---- xdm.log type=AVC avc: denied { module_request } scontext=system_u:system_r:xdm_t tcontext=system_u:system_r:kernel_t tclass=system type=AVC avc: denied { write } scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:shadow_t tclass=file type=AVC avc: denied { add_name } scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t tclass=dir type=AVC avc: denied { create } scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t tclass=file type=AVC avc: denied { write } scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t tclass=file type=AVC avc: denied { setattr } scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t tclass=file type=AVC avc: denied { remove_name } scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t tclass=dir type=AVC avc: denied { rename } scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:etc_t tclass=file type=AVC avc: denied { unlink } scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:shadow_t tclass=file type=AVC avc: denied { create } scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:shadow_t tclass=file type=AVC avc: denied { setattr } scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:shadow_t tclass=file type=AVC avc: denied { rename } scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:shadow_t tclass=file ---- Resultant SELinux Type Enforcement files generated from audit2allow audit2allow -M login < login.log audit2allow -M xdm < xdm.log ---- login.te module login 1.0; require { type etc_t; type local_login_t; type shadow_t; class dir { write remove_name add_name }; class file { rename setattr create write unlink }; } #============= local_login_t ============== #!!!! The source type 'local_login_t' can write to a 'dir' of the following types: # faillog_t, pam_var_run_t, pcscd_var_run_t, pam_var_console_t, local_login_tmp_t, var_lock_t, tmp_t, var_auth_t, var_t, auth_cache_t, cluster_var_lib_t, clust er_var_run_t, root_t, krb5_host_rcache_t, cluster_conf_t, tmp_t allow local_login_t etc_t:dir { write remove_name add_name }; allow local_login_t etc_t:file { write rename create unlink setattr }; allow local_login_t shadow_t:file { write rename create unlink setattr }; ---- xdm.te module xdm 1.0; require { type kernel_t; type etc_t; type xdm_t; type shadow_t; class dir { remove_name add_name }; class system module_request; class file { rename setattr create write unlink }; } #============= xdm_t ============== allow xdm_t etc_t:dir { remove_name add_name }; allow xdm_t etc_t:file { write rename create setattr }; #!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules' allow xdm_t kernel_t:system module_request; allow xdm_t shadow_t:file { write rename create unlink setattr }; ---- Correct SELinux policy by installing the SELinux Policy Packages generated from audit2allow semodule -i login.pp semodule -i xdm.pp