Bug 1066071
| Summary: | exim with pam authentication prevented by selinux-policy-targeted | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Martin Welss <martin.welss> |
| Component: | selinux-policy-targeted | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 20 | CC: | dwalsh, martin.welss |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.12.1-163.fc20 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-05-08 16:20:50 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Martin Welss
2014-02-17 15:45:59 UTC
audit.log used to build module
type=AVC msg=audit(1392641488.368:109329): avc: denied { execute } for pid=5226 comm="exim" name="unix_chkpwd" dev="vda1" ino=19191 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
type=AVC msg=audit(1392641488.368:109329): avc: denied { read open } for pid=5226 comm="exim" path="/usr/sbin/unix_chkpwd" dev="vda1" ino=19191 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
type=AVC msg=audit(1392641488.368:109329): avc: denied { execute_no_trans } for pid=5226 comm="exim" path="/usr/sbin/unix_chkpwd" dev="vda1" ino=19191 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1392641488.368:109329): arch=c000003e syscall=59 success=yes exit=0 a0=7f33fe54ab38 a1=7fff7746c920 a2=7f33fe7513a0 a3=7f34054d1b10 items=0 ppid=5225 pid=5226 auid=4294967295 uid=93 gid=93 euid=0 suid=0 fsuid=0 egid=93 sgid=93 fsgid=93 ses=4294967295 tty=(none) comm="unix_chkpwd" exe="/usr/sbin/unix_chkpwd" subj=system_u:system_r:exim_t:s0 key=(null)
type=AVC msg=audit(1392641488.373:109330): avc: denied { read } for pid=5226 comm="unix_chkpwd" name="shadow" dev="vda1" ino=12577 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=AVC msg=audit(1392641488.373:109330): avc: denied { open } for pid=5226 comm="unix_chkpwd" path="/etc/shadow" dev="vda1" ino=12577 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=SYSCALL msg=audit(1392641488.373:109330): arch=c000003e syscall=2 success=yes exit=3 a0=7f4adbd0643b a1=80000 a2=1b6 a3=0 items=0 ppid=5225 pid=5226 auid=4294967295 uid=93 gid=93 euid=93 suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 ses=4294967295 tty=(none) comm="unix_chkpwd" exe="/usr/sbin/unix_chkpwd" subj=system_u:system_r:exim_t:s0 key=(null)
type=AVC msg=audit(1392641488.375:109331): avc: denied { getattr } for pid=5226 comm="unix_chkpwd" path="/etc/shadow" dev="vda1" ino=12577 scontext=system_u:system_r:exim_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file
type=SYSCALL msg=audit(1392641488.375:109331): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7fffc5ae4b40 a2=7fffc5ae4b40 a3=0 items=0 ppid=5225 pid=5226 auid=4294967295 uid=93 gid=93 euid=93 suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 ses=4294967295 tty=(none) comm="unix_chkpwd" exe="/usr/sbin/unix_chkpwd" subj=system_u:system_r:exim_t:s0 key=(null)
type=AVC msg=audit(1392641488.413:109332): avc: denied { create } for pid=5227 comm="unix_chkpwd" scontext=system_u:system_r:exim_t:s0 tcontext=system_u:system_r:exim_t:s0 tclass=netlink_audit_socket
type=SYSCALL msg=audit(1392641488.413:109332): arch=c000003e syscall=41 success=yes exit=3 a0=10 a1=3 a2=9 a3=7fff575eda20 items=0 ppid=5225 pid=5227 auid=4294967295 uid=93 gid=93 euid=93 suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 ses=4294967295 tty=(none) comm="unix_chkpwd" exe="/usr/sbin/unix_chkpwd" subj=system_u:system_r:exim_t:s0 key=(null)
type=AVC msg=audit(1392641488.415:109333): avc: denied { nlmsg_relay } for pid=5227 comm="unix_chkpwd" scontext=system_u:system_r:exim_t:s0 tcontext=system_u:system_r:exim_t:s0 tclass=netlink_audit_socket
type=SYSCALL msg=audit(1392641488.415:109333): arch=c000003e syscall=44 success=yes exit=116 a0=3 a1=7fff575e7160 a2=74 a3=0 items=0 ppid=5225 pid=5227 auid=4294967295 uid=93 gid=93 euid=93 suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 ses=4294967295 tty=(none) comm="unix_chkpwd" exe="/usr/sbin/unix_chkpwd" subj=system_u:system_r:exim_t:s0 key=(null)
resulting module:
module pam_exim 1.0;
require {
type shadow_t;
type exim_t;
type chkpwd_exec_t;
class file { getattr read open execute execute_no_trans };
class netlink_audit_socket { nlmsg_relay create };
}
#============= exim_t ==============
allow exim_t chkpwd_exec_t:file { read execute open execute_no_trans };
allow exim_t self:netlink_audit_socket { nlmsg_relay create };
allow exim_t shadow_t:file { read getattr open };
How does the PAM config look? here are the contents of /etc/pam.d/exim: #%PAM-1.0 auth required pam_nologin.so auth required pam_tally2.so deny=4 even_deny_root unlock_time=1200 auth include password-auth account include password-auth session include password-auth and the authenticators section from /etc/exim/exim.conf
begin authenticators
plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = "${if pam{$2:$3}{1}{0}}"
server_set_id = $2
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if pam{$1:$2}{1}{0}}"
server_set_id = $1
commit 66ac4647481fb8326929200863e310a2096468c3 fixes this in git/. So far this does not seem to be in the current selinux-policy-3.12.1-74.19.fc19 How can I check it out from git? Thanks for any hints! Hi Martin,
This bug will included in next release
Back ported to F19 Branch.
commit db6193e710ccdfd2a5d34107c0c33b39ebe8ac22
Author: Dan Walsh <dwalsh>
Date: Tue Feb 18 10:10:37 2014 -0500
Allow exim to use pam stack to check passwords
Hi Lukas, sounds great, thank you very much! I updated my server to Fedora 20: same problem which results in the following two alerts.
Here are the logs:
--------------------------------------------------------------------------------
SELinux is preventing /usr/sbin/exim from execute access on the file .
***** Plugin catchall (100. confidence) suggests **************************
If you believe that exim should be allowed execute access on the file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep exim /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:exim_t:s0
Target Context system_u:object_r:chkpwd_exec_t:s0
Target Objects [ file ]
Source exim
Source Path /usr/sbin/exim
Port <Unknown>
Host <Unknown>
Source RPM Packages exim-4.80.1-6.fc20.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-153.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name kaiman
Platform Linux kaiman 3.13.10-200.fc20.x86_64 #1 SMP Mon
Apr 14 20:34:16 UTC 2014 x86_64 x86_64
Alert Count 16
First Seen 2014-04-30 11:01:35 CEST
Last Seen 2014-04-30 11:04:42 CEST
Local ID 12505edb-8bde-43ea-ab1a-ba8edc23a522
Raw Audit Messages
type=AVC msg=audit(1398848682.25:481): avc: denied { execute } for pid=1108 comm="exim" name="unix_chkpwd" dev="vda1" ino=1705432 scontext=system_u:system_r:
exim_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1398848682.25:481): arch=x86_64 syscall=execve success=no exit=EACCES a0=7f6c530713ad a1=7fff512e3470 a2=7f6c532783c0 a3=0 items=0 ppid=1
100 pid=1108 auid=4294967295 uid=93 gid=93 euid=93 suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 ses=4294967295 tty=(none) comm=exim exe=/usr/sbin/exim subj=system_
u:system_r:exim_t:s0 key=(null)
Hash: exim,exim_t,chkpwd_exec_t,file,execute
--------------------------------------------------------------------------------
SELinux is preventing /usr/sbin/exim from create access on the netlink_audit_socket .
***** Plugin catchall (100. confidence) suggests **************************
If you believe that exim should be allowed create access on the netlink_audit_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep exim /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:exim_t:s0
Target Context system_u:system_r:exim_t:s0
Target Objects [ netlink_audit_socket ]
Source exim
Source Path /usr/sbin/exim
Port <Unknown>
Host <Unknown>
Source RPM Packages exim-4.80.1-6.fc20.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-153.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name kaiman
Platform Linux kaiman 3.13.10-200.fc20.x86_64 #1 SMP Mon
Apr 14 20:34:16 UTC 2014 x86_64 x86_64
Alert Count 11
First Seen 2014-04-30 11:01:38 CEST
Last Seen 2014-04-30 11:04:43 CEST
Local ID 5a7d3bcf-cf86-4d9b-95f5-bce87ac3d913
Raw Audit Messages
type=AVC msg=audit(1398848683.781:483): avc: denied { create } for pid=1100 comm="exim" scontext=system_u:system_r:exim_t:s0 tcontext=system_u:system_r:exim_t:s0 tclass=netlink_audit_socket
type=SYSCALL msg=audit(1398848683.781:483): arch=x86_64 syscall=socket success=no exit=EACCES a0=10 a1=3 a2=9 a3=4000 items=0 ppid=725 pid=1100 auid=4294967295 uid=93 gid=93 euid=93 suid=93 fsuid=93 egid=93 sgid=93 fsgid=93 ses=4294967295 tty=(none) comm=exim exe=/usr/sbin/exim subj=system_u:system_r:exim_t:s0 key=(null)
Lukas can you back port exim policy into F20 and into RHEL7 policy. commit 6001e69df1b45a90f442c1d0c24bf2f3ecd324fa
Author: Lukas Vrabec <lvrabec>
Date: Sun May 4 02:44:27 2014 +0200
Backport exim policy from rawhide to F20
selinux-policy-3.12.1-161.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-161.fc20 Package selinux-policy-3.12.1-161.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-161.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-6084/selinux-policy-3.12.1-161.fc20 then log in and leave karma (feedback). This update fixes the bug, also noted as my feedback (karma) in bodhi. selinux-policy-3.12.1-163.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |