Bug 1253619

Summary: pam_timestamp cannot create timestamp file
Product: Red Hat Enterprise Linux 6 Reporter: Dalibor Pospíšil <dapospis>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.6CC: dapospis, dwalsh, lvrabec, mgrepl, mmalik, pkis, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1253632 (view as bug list) Environment:
Last Closed: 2016-01-28 16:56:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dalibor Pospíšil 2015-08-14 09:27:30 UTC 
Description of problem:
pam_timestamp uses /var/run/sudo/user/ to store data. If the directory does not exist it tries to create it which fail. 
----
time->Fri Aug 14 11:11:58 2015
type=SYSCALL msg=audit(1439543518.250:373941): arch=c000003e syscall=83 success=yes exit=0 a0=7ffff4ed9e40 a1=1c0 a2=0 a3=4000 items=0 ppid=30139 pid=30282 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=37056 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1439543518.250:373941): avc:  denied  { create } for  pid=30282 comm="sshd" name="sudo" scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir
----
time->Fri Aug 14 11:11:58 2015
type=SYSCALL msg=audit(1439543518.252:373942): arch=c000003e syscall=94 success=yes exit=0 a0=7ffff4ed9e40 a1=0 a2=0 a3=4000 items=0 ppid=30139 pid=30282 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=37056 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1439543518.252:373942): avc:  denied  { setattr } for  pid=30282 comm="sshd" name="sudo" dev=dm-0 ino=134507 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-279.el6.noarch
kernel-2.6.32-556.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. see liked test
Comment 1 Milos Malik 2015-08-14 09:36:23 UTC 
Shouldn't it be using /var/db/sudo directory?
Comment 2 Dalibor Pospíšil 2015-08-14 10:56:10 UTC 
(In reply to Milos Malik from comment #1)
> Shouldn't it be using /var/db/sudo directory?

According to man page it should be /var/run/sudo/..., see man pam_timestamp
Comment 3 Miroslav Grepl 2015-08-28 14:41:38 UTC 
We have

type_transition sshd_t var_run_t : dir pam_var_run_t "sudo";

in RHEL-7. Unfortunatelly we don't have filename transitions rules in RHEL-6. We need to find a different way in RHEL-6.
Comment 5 RHEL Program Management 2016-01-28 16:56:05 UTC 
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.
Comment 6 Patrik Kis 2016-01-29 12:18:03 UTC 
There is no way to fix it in selinux-policy?
Comment 7 Patrik Kis 2016-04-25 08:56:26 UTC 
I think, it is fair to answer the question before clearing the needinfo flag.

The reason I was asking is, to see if there is no other way to fix this issue other than it is fixed in RHEL-7. This is clearly a non functioning solution, and if possible, it should be addressed.
Comment 8 Red Hat Bugzilla 2023-09-14 03:03:41 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days