Bug 621997

Summary: SELinux empêche l'accès en "search" à /usr/libexec/polkit-1/polkit-agent-helper-1 on /var/lib/a
Product: [Fedora] Fedora Reporter: Nicolas Mailhot <nicolas.mailhot>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 14CC: dwalsh, mgrepl, nicolas.mailhot
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:cf3e0918b101b11ab709611c6c3751e0cd5dfe982eb6c7040e54553b9c3b2ec8
Fixed In Version: selinux-policy-3.8.8-14.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-08-24 01:49:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/etc/pam.d/system-auth none

Description Nicolas Mailhot 2010-08-06 18:00:35 UTC 
Résumé:

SELinux empêche l'accès en "search" à
/usr/libexec/polkit-1/polkit-agent-helper-1 on /var/lib/a

Description détaillée:

SELinux a refusé l'accès demandé par polkit-agent-he. Il n'est pas prévu que
cet accès soit requis par polkit-agent-he et cet accès peut signaler une
tentative d'intrusion. Il est également possible que cette version ou cette
configuration spécifique de l'application provoque cette demande d'accès
supplémenta

Autoriser l'accès:

Vous pouvez créer un module de stratégie locale pour autoriser cet accès -
lisez la FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Merci de
remplir un rapport de bogue.

Informations complémentaires:

Contexte source               unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c
                              0.c1023
Contexte cible                system_u:object_r:var_auth_t:s0
Objets du contexte            /var/lib/abl [ dir ]
source                        polkit-agent-he
Chemin de la source           /usr/libexec/polkit-1/polkit-agent-helper-1
Port                          <Inconnu>
Hôte                         (supprimé)
Paquetages RPM source         polkit-0.96-1.fc13
Paquetages RPM cible          pam_abl-0.2.3-8.fc12
Politique RPM                 selinux-policy-3.8.8-10.fc14
Selinux activé               True
Type de politique             targeted
Mode strict                   Enforcing
Nom du plugin                 catchall
Nom de l'hôte                (supprimé)
Plateforme                    Linux (supprimé) 2.6.35-2.fc14.x86_64 #1 SMP Wed
                              Aug 4 19:15:25 UTC 2010 x86_64 x86_64
Compteur d'alertes            1
Première alerte              ven. 06 août 2010 19:57:59 CEST
Dernière alerte              ven. 06 août 2010 19:57:59 CEST
ID local                      580f6385-1140-49eb-9a21-e0106686cf99
Numéros des lignes           

Messages d'audit bruts        

node=(supprimé) type=AVC msg=audit(1281117479.56:27): avc:  denied  { search } for  pid=2628 comm="polkit-agent-he" name="abl" dev=dm-1 ino=122447 scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_auth_t:s0 tclass=dir

node=(supprimé) type=SYSCALL msg=audit(1281117479.56:27): arch=c000003e syscall=4 success=no exit=-13 a0=1005f10 a1=7fffd72a1030 a2=7fffd72a1030 a3=180 items=0 ppid=2342 pid=2628 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="polkit-agent-he" exe="/usr/libexec/polkit-1/polkit-agent-helper-1" subj=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,polkit-agent-he,policykit_auth_t,var_auth_t,dir,search
audit2allow suggests:

#============= policykit_auth_t ==============
allow policykit_auth_t var_auth_t:dir search;
Comment 1 Daniel Walsh 2010-08-10 15:44:03 UTC 
Did you add pam_abl to /etc/pam.d/system-auth?
Comment 2 Nicolas Mailhot 2010-08-10 15:56:00 UTC 
I did it when I first installed pam_abl on the system years ago. I haven't checked lately if the various system upgrades since have preserved this (but I guess if they hadn't there would be no selinux alert today)
Comment 3 Nicolas Mailhot 2010-08-10 16:46:58 UTC 
Created attachment 437949 [details]
/etc/pam.d/system-auth

Local /etc/pam.d/system-auth with typical pam_abl configuration
Comment 4 Nicolas Mailhot 2010-08-10 16:47:39 UTC 
Summary     : A Pluggable Authentication Module (PAM) for auto blacklisting

Description :
Provides auto blacklisting of hosts and users responsible for repeated
failed authentication attempts. Generally configured so that
blacklisted users still see normal login prompts but are guaranteed to
fail to authenticate. A command line tool allows to query or purge the
databases used by the pam_abl module.
Comment 5 Daniel Walsh 2010-08-11 13:09:47 UTC 
I know what it is, but I am not sure it belongs in that file, since this is read by cron and policykit.

You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.8.8-12.fc14
Comment 6 Nicolas Mailhot 2010-08-11 16:43:41 UTC 
(In reply to comment #5)
> I know what it is, but I am not sure it belongs in that file, since this is
> read by cron and policykit.

The way I understand it, the main value of pam_abl (as opposed to a protocol-specific wrapper such as deny host) is to protect against any brute-force password cracking attempt at the pam database, regardless of how many layers of software indirections are used before hitting pam. 

But them I am not a professional security expert like you, so I would welcome your thoughts on where pam_abl should better plug.

I realise that the main drawback of this approach is the possibility of DOS. On my system a DOS is preferable to an intrusion.
Comment 7 Daniel Walsh 2010-08-13 16:08:16 UTC 
Ok I guess you are right.  I see it more useful for network facing login programs like sshd, but I guess if you are worried about someone trying to brute force policykit.
Comment 8 Fedora Update System 2010-08-13 20:29:09 UTC 
selinux-policy-3.8.8-14.fc14 has been submitted as an update for Fedora 14.
http://admin.fedoraproject.org/updates/selinux-policy-3.8.8-14.fc14
Comment 9 Nicolas Mailhot 2010-08-18 20:24:59 UTC 
Still there with selinux-policy-3.8.8-16.fc14
Comment 10 Daniel Walsh 2010-08-23 17:24:39 UTC 
Oops your right, I added the access to policykit_t instead of policykit_auth_t.

Fixed in selinux-policy-3.8.8-18.fc14
Comment 11 Fedora Update System 2010-08-24 01:48:30 UTC 
selinux-policy-3.8.8-14.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.