Bug 471746

Summary:	add pam_sepermit to sshd pam config to block confined users in permissive mode
Product:	[Fedora] Fedora	Reporter:	Dominick Grift <dominick.grift>
Component:	openssh	Assignee:	Tomas Mraz <tmraz>
Status:	CLOSED RAWHIDE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	10	CC:	dwalsh, mgrepl, tmraz
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	openssh-5.1p1-5.fc11	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2009-02-12 15:41:22 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Dominick Grift 2008-11-15 16:46:39 UTC

Description of problem:
- man page for pam selinux permit is missing
- /etc/security/sepermit.conf, %seuser option does not work
- pam sepermit entry missing in /etc/pam.d/sshd

Version-Release number of selected component (if applicable):
pam-1.0.2-2.fc10.x86_64

Additional info:

- there use to be a man page for pam sepermit now it is gone (man pam_selinux_sepermit) 

http://danwalsh.livejournal.com/13376.html
http://danwalsh.livejournal.com/18865.html

- echo "%seuser guest_u" >> /etc/security/sepermit.conf does not deny access for seuser guest_u when selinux in permissive mode.

- guest_u, like xguest_u are seusers available by default. pam.d/gdm is set up properly for xguest_u by default (has sepermit pam entry plus name space pam entry), however this is not the case for guest_u and pam.d/sshd ( missing sepermit pam entry and namespace pam entry)

Comment 1 Tomas Mraz 2008-11-16 16:23:03 UTC

Please do not put multiple bugs into one bug report next time.

The canonical name for the module is now pam_sepermit. The pam_selinux_permit.so is just a symlink for backward compatibility. 'man pam_sepermit' thus gives you the manual page.

You must add %guest_u to sepermit.conf not %seuser guest_u.

sshd is not set by default because the xguest user is not supposed to be allowed in by sshd.

Comment 2 Dominick Grift 2008-11-16 17:11:35 UTC

thanks for clarifying point one and two. sorry for the false alarm.

about point 3 though:

xguest_u is not allowed to use sshd, only gdm. true.
however guest_u is not allowed to use gdm, only sshd...

Comment 3 Tomas Mraz 2008-11-18 08:08:33 UTC

Ccing dwalsh. Dan, what do you think about guest_u? I do not think we should support passwordless ssh login. But what about adding pam_sepermit to sshd PAM configuration to block guest_u if SELinux is in permissive mode?

Comment 4 Daniel Walsh 2008-11-18 16:43:09 UTC

I think adding it is fine and probably a good idea,  blocking guest_u logins with SELinux disabled or permissive is also a good idea.  

I think we need to make sure xguest_u is only available via gdm and not sshd by default, and I am not sure pam_sepermit supports this.

If I install the xguest package I do not want xguest user to be accessable via no password from the internet.

Comment 5 Tomas Mraz 2008-11-18 17:51:18 UTC

I would use different pam config entry for sshd that would not allow passwordless logins.

Comment 6 Daniel Walsh 2008-11-18 18:06:06 UTC

That is my only concern.

I would like to get to the point where we could experiment with returning random UIDs from a range of uid.  So you could setup a group of guest accounts that people could log into with temporary home and /tmp directories.

Perhaps without a password.

Comment 7 Bug Zapper 2008-11-26 05:27:13 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping