Bug 471746

Summary: add pam_sepermit to sshd pam config to block confined users in permissive mode
Product: [Fedora] Fedora Reporter: Dominick Grift <dominick.grift>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 10CC: dwalsh, mgrepl, tmraz
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssh-5.1p1-5.fc11 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-02-12 10:41:22 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Dominick Grift 2008-11-15 11:46:39 EST
Description of problem:
- man page for pam selinux permit is missing
- /etc/security/sepermit.conf, %seuser option does not work
- pam sepermit entry missing in /etc/pam.d/sshd

Version-Release number of selected component (if applicable):
pam-1.0.2-2.fc10.x86_64

Additional info:

- there use to be a man page for pam sepermit now it is gone (man pam_selinux_sepermit) 

http://danwalsh.livejournal.com/13376.html
http://danwalsh.livejournal.com/18865.html

- echo "%seuser guest_u" >> /etc/security/sepermit.conf does not deny access for seuser guest_u when selinux in permissive mode.

- guest_u, like xguest_u are seusers available by default. pam.d/gdm is set up properly for xguest_u by default (has sepermit pam entry plus name space pam entry), however this is not the case for guest_u and pam.d/sshd ( missing sepermit pam entry and namespace pam entry)
Comment 1 Tomas Mraz 2008-11-16 11:23:03 EST
Please do not put multiple bugs into one bug report next time.

The canonical name for the module is now pam_sepermit. The pam_selinux_permit.so is just a symlink for backward compatibility. 'man pam_sepermit' thus gives you the manual page.

You must add %guest_u to sepermit.conf not %seuser guest_u.

sshd is not set by default because the xguest user is not supposed to be allowed in by sshd.
Comment 2 Dominick Grift 2008-11-16 12:11:35 EST
thanks for clarifying point one and two. sorry for the false alarm.

about point 3 though:

xguest_u is not allowed to use sshd, only gdm. true.
however guest_u is not allowed to use gdm, only sshd...
Comment 3 Tomas Mraz 2008-11-18 03:08:33 EST
Ccing dwalsh. Dan, what do you think about guest_u? I do not think we should support passwordless ssh login. But what about adding pam_sepermit to sshd PAM configuration to block guest_u if SELinux is in permissive mode?
Comment 4 Daniel Walsh 2008-11-18 11:43:09 EST
I think adding it is fine and probably a good idea,  blocking guest_u logins with SELinux disabled or permissive is also a good idea.  

I think we need to make sure xguest_u is only available via gdm and not sshd by default, and I am not sure pam_sepermit supports this.

If I install the xguest package I do not want xguest user to be accessable via no password from the internet.
Comment 5 Tomas Mraz 2008-11-18 12:51:18 EST
I would use different pam config entry for sshd that would not allow passwordless logins.
Comment 6 Daniel Walsh 2008-11-18 13:06:06 EST
That is my only concern.

I would like to get to the point where we could experiment with returning random UIDs from a range of uid.  So you could setup a group of guest accounts that people could log into with temporary home and /tmp directories.

Perhaps without a password.
Comment 7 Bug Zapper 2008-11-26 00:27:13 EST
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping