| Summary: | AVCs when logging in over ssh | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ruben Kerkhof <ruben> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 14 | CC: | dwalsh, emaldona, jvcelak, mgrepl, nalin, rrelyea, tmraz |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-05-26 20:45:49 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
*** This bug has been marked as a duplicate of bug 671792 *** oops wrong bug. Did you setup some special pam module? Hi Dan, Just pam_ldap and pam_mkhomedir. I've disabled pam_mkhomedir and tried again, and that's not it. The AVCs are only triggered when I login with an ldap user, not with a local one. It looks like unix_chkpwd is searching /usr/tmp for something. I have no idea why unix_chkpwd would be needing sys_nice or setsched. Do the pam guys have any idea? That must be something in the nss_ldap or other module you use for the LDAP user lookups. What is in your /etc/nsswitch.conf and what module do you use for the user lookups in LDAP? Here's my /etc/nsswitch.conf: # Managed by puppet passwd: files ldap shadow: files ldap group: files ldap hosts: files dns bootparams: files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: ldap publickey: nisplus automount: files aliases: files and this is /etc/nss_ldap.conf: # Managed by puppet base dc=tilaa,dc=nl ldap_version 3 port 389 timelimit 10 bind_timelimit 20 pam_login_attribute uid pam_lookup_policy yes pam_min_uid 10000 pam_max_uid 20000 nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm,polkituser,postfix,apache uri ldap://ldap.priv.tilaa.nl ssl start_tls tls_cacertfile /etc/openldap/cacerts/ca.pem tls_ciphers TLSv1+RSA:!EXPORT:!NULL:!RC4:!MD5 pam_password exop nss_base_passwd ou=People,dc=tilaa,dc=nl?one nss_base_shadow ou=People,dc=tilaa,dc=nl?one nss_base_group ou=Groups,dc=tilaa,dc=nl?one I suppose you use the nss_ldap module from nss-pam-ldapd - so I would expect the avcs coming from there. I'm ccing nalin who is the owner. Hi Tomas, I'm using nss_ldap-265-6.fc14.x86_64, not nss-pam-ldap. The nslcd daemon doesn't read /etc/nss_ldap.conf, so I'd assume the original nss_ldap module is in play here. Since we build nss_ldap using the shared libldap, and libldap uses NSS now, here's a backtrace from ldapsearch, which is also told to use StartTLS:
#0 0x00007ffff604d380 in open64 () from /lib64/libc.so.6
#1 0x00007ffff5fe891f in _IO_new_file_fopen () from /lib64/libc.so.6
#2 0x00007ffff5fdd2c6 in __fopen_internal () from /lib64/libc.so.6
#3 0x00007ffff5b12487 in RNG_FileUpdate (fileName=0x7ffff5b519f7 "/tmp",
limit=1000000) at unix_rand.c:1006
#4 0x00007ffff5b12689 in RNG_SystemInfoForRNG () at unix_rand.c:935
#5 0x00007ffff5b21e53 in rng_init () at drbg.c:425
#6 0x00007ffff6335dfa in PR_CallOnce (once=0x7ffff5d6ca34,
func=<value optimized out>)
at ../../../mozilla/nsprpub/pr/src/misc/prinit.c:803
#7 0x00007ffff5b21ed7 in RNG_RNGInit () at drbg.c:469
#8 0x00007ffff5099c88 in nsc_CommonInitialize (pReserved=0x7fffffff95c0,
isFIPS=0) at pkcs11.c:2752
#9 0x00007ffff509a107 in NSC_Initialize (pReserved=0x7fffffff95c0)
at pkcs11.c:2880
#10 0x00007ffff6bbb964 in secmod_ModuleInit (mod=0x6290a0,
reload=0x7fffffff9710, alreadyLoaded=0x7fffffff965c) at pk11load.c:252
#11 0x00007ffff6bbbfe8 in secmod_LoadPKCS11Module (mod=0x6290a0,
oldModule=0x7fffffff9710) at pk11load.c:492
#12 0x00007ffff6bc8e65 in SECMOD_LoadModule (
modulespec=0x628d30 "library= name=\"NSS Internal PKCS #11 Module\" parameters=\"configdir='' certPrefix='' keyPrefix='' secmod='secmod.db' flags=readOnly,noCertDB,noModDB updatedir='' updateCertPrefix='' updateKeyPrefix='' "...,
parent=0x627d60, recurse=1) at pk11pars.c:1108
#13 0x00007ffff6bc8ff0 in SECMOD_LoadModule (
modulespec=0x626a40 "name=\"NSS Internal Module\" parameters=\"configdir='' certPrefix='' keyPrefix='' secmod='secmod.db' flags=readOnly,noCertDB,noModDB updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' update"...,
parent=0x0, recurse=1) at pk11pars.c:1143
#14 0x00007ffff6b97482 in nss_InitModules (isContextInit=1, optimizeSpace=0,
forceOpen=0, noModDB=1, noCertDB=1, readOnly=1,
pwRequired=<value optimized out>, configStrings=0x626880 " minPS=0",
configName=0x7ffff6c7b3c8 "NSS Internal Module",
updateName=0x7ffff6c7b917 "", updateID=0x7ffff6c7b917 "",
updKeyPrefix=0x7ffff6c7b917 "",
updCertPrefix=0x6269c0 "\230i\375\367\377\177", updateDir=0x6269a0 "",
secmodName=0x7ffff7bd20af "secmod.db", keyPrefix=<value optimized out>,
certPrefix=<value optimized out>, configdir=0x7ffff7bd2082 "")
at nssinit.c:461
#15 nss_Init (configdir=0x7ffff7bd2082 "", certPrefix=<value optimized out>,
keyPrefix=<value optimized out>, secmodName=0x7ffff7bd20af "secmod.db",
updateDir=0x6269a0 "", updCertPrefix=0x6269c0 "\230i\375\367\377\177",
updKeyPrefix=0x7ffff6c7b917 "", updateID=0x7ffff6c7b917 "",
updateName=0x7ffff6c7b917 "", initContextPtr=0x7fffffff9938,
initParams=0x7fffffff9980, readOnly=1, noCertDB=1, noModDB=1, forceOpen=0,
noRootInit=1, optimizeSpace=0, noSingleThreadedModules=0,
allowAlreadyInitializedModules=0, dontFinalizeModules=0) at nssinit.c:620
#16 0x00007ffff6b97d45 in NSS_InitContext (configdir=<value optimized out>,
certPrefix=<value optimized out>, keyPrefix=<value optimized out>,
secmodName=<value optimized out>, initParams=<value optimized out>,
flags=<value optimized out>) at nssinit.c:800
#17 0x00007ffff7bc9274 in tlsm_deferred_init (arg=0x626170)
at ../../../libraries/libldap/tls_m.c:1573
#18 tlsm_deferred_ctx_init (arg=0x626170)
at ../../../libraries/libldap/tls_m.c:1935
#19 0x00007ffff6335ef5 in PR_CallOnceWithArg (once=0x6261a8,
func=<value optimized out>, arg=<value optimized out>)
at ../../../mozilla/nsprpub/pr/src/misc/prinit.c:832
#20 0x00007ffff7bc6a56 in tlsm_session_new (ctx=0x626170, is_server=0)
at ../../../libraries/libldap/tls_m.c:2281
#21 0x00007ffff7bc42c4 in alloc_handle (ctx_arg=<value optimized out>,
is_server=<value optimized out>) at ../../../libraries/libldap/tls2.c:296
#22 0x00007ffff7bc443e in ldap_int_tls_connect (ld=0x6160b0,
conn=<value optimized out>) at ../../../libraries/libldap/tls2.c:341
#23 0x00007ffff7bc4e4c in ldap_int_tls_start (ld=0x6160b0, conn=0x6162b0,
srv=<value optimized out>) at ../../../libraries/libldap/tls2.c:833
#24 0x00007ffff7bc51ce in ldap_start_tls_s (ld=0x6160b0, serverctrls=0x0,
clientctrls=0x0) at ../../../libraries/libldap/tls2.c:939
#25 0x0000000000408849 in tool_conn_setup (dont=<value optimized out>,
private_setup=0x404a30 <private_conn_setup>)
at ../../../clients/tools/common.c:1290
#26 0x0000000000406c81 in main (argc=<value optimized out>,
argv=<value optimized out>) at ../../../clients/tools/ldapsearch.c:900
So either LDAP clients all need to be able to read /tmp this way, or it's a bug in OpenLDAP and/or NSS.
Is there any extra information I can provide? Elio, are the reads of /tmp by nss essential? If not perhaps these AVCs can be dontaudited? They seem to be essential as they are part of the PRNG seeding. Looking at http://mxr.mozilla.org/security/source/security/nss/lib/freebl/unix_rand.c#854 shows that /tmp is one the files that RNG_SystemInfoForRNG reads to gather up system specific information to help seed the state of the global random number generator. RNG_SystemInfoForRNG is called when NSS loads and initializes a cryptographic module. So does this mean /sbin/unix_chkpwd is going to try to read any file in /tmp? No, as far as I can tell from the code, it won't read any other files inside /tmp. So it literally wants to read the /tmp directory file. (Actually I think it is reading /usr/tmp -> /var/tmp Miroslav can you add files_read_usr_symlinks(chkpwd_t) files_list_tmp(chkpwd_t) To F13/F14/RHEL6 |
Description of problem: When logging in with ssh to a F-14 box, I get the following AVCs: type=AVC msg=audit(1295537024.808:102): avc: denied { sys_nice } for pid=2955 comm="unix_chkpwd" capability=23 scontext=unconfined_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1295537024.808:102): avc: denied { setsched } for pid=2955 comm="unix_chkpwd" scontext=unconfined_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:chkpwd_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1295537024.808:102): arch=c000003e syscall=144 success=yes exit=0 a0=b8b a1=0 a2=7fff40e41c90 a3=7fff40e419d0 items=0 ppid=2953 pid=2955 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=13 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=unconfined_u:system_r:chkpwd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1295537024.812:103): avc: denied { read } for pid=2955 comm="unix_chkpwd" name="tmp" dev=vda1 ino=16290 scontext=unconfined_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1295537024.812:103): arch=c000003e syscall=2 success=yes exit=4 a0=7f0253111a17 a1=0 a2=1b6 a3=0 items=1 ppid=2953 pid=2955 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=13 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=unconfined_u:system_r:chkpwd_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1295537024.812:103): cwd="/" type=PATH msg=audit(1295537024.812:103): item=0 name="/tmp" inode=16290 dev=fc:01 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 type=AVC msg=audit(1295537024.813:104): avc: denied { read } for pid=2955 comm="unix_chkpwd" name="tmp" dev=vda1 ino=5383 scontext=unconfined_u:system_r:chkpwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1295537024.813:104): arch=c000003e syscall=4 success=yes exit=0 a0=7f0253111a1c a1=7fff40e3d250 a2=7fff40e3d250 a3=1 items=1 ppid=2953 pid=2955 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=13 comm="unix_chkpwd" exe="/sbin/unix_chkpwd" subj=unconfined_u:system_r:chkpwd_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1295537024.813:104): cwd="/" type=PATH msg=audit(1295537024.813:104): item=0 name="/usr/tmp" inode=60 dev=fc:01 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0