Bug 745208

Summary: 389-ds-base: PAM Pass through authentication fails when selinux mode is in "Enforcing".
Product: Red Hat Enterprise Linux 6 Reporter: Sankar Ramalingam <sramling>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: medium    
Version: 6.1CC: dwalsh, ebenes, mmalik, nkinder, shaines
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-116.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 10:19:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sankar Ramalingam 2011-10-11 16:40:24 UTC 
Description of problem: 
           PAM Pass through authentication fails when the selinux mode is in "Enforcing". This issue is observed when 389-ds-base packages installed on a RHEL6.1 machines.

Version-Release number of selected component (if applicable): DS9.0

How reproducible: Consistently.


Steps to Reproduce:
1. Install 389-ds-base package and create a slapd instance using setup-ds.pl script.
2. Configure PAM Pass through plug-in.

/usr/bin/ldapmodify -x -h $HOST -p $PORT -D "cn=Directory Manager" -w $DMGR_PWD << EOF
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
-
replace: pamSecure
pamSecure: FALSE
-
replace: pamIDMapMethod
pamIDMapMethod: RDN
EOF
3. Create a local system user as "pamtestuser" using useradd command.
4. Create an LDAP user as "uid=pamtestuser,dc=example,dc=com" using ldapadd.
5. Make sure selinux mode is in "Enforcing"
6. Run an ldapsearch to bind the user - "uid=pamtestuser,dc=example,dc=com".

Actual results:
 
/usr/bin/ldapsearch -x -h $HOST -p $PORT -D "uid=pamtestuser,dc=example,dc=com" -w $USR_PWD -b "uid=pamtestuser,dc=example,dc=com" objectclass=*

ldap_simple_bind: Operations error
ldap_simple_bind: additional info: Unknown PAM error [System error] for user id [pamtestuser], bind DN [uid=pamtestuser,dc=example,dc=com]

Expected results: LDAP search should succeed for the PAM Authentication irrespective of selinux policies.

Additional info: observed the following messages in the audit logs.

type=AVC msg=audit(1318331411.299:6847): avc:  denied  { search } for  pid=15840 comm="ns-slapd" name="dbus" dev=dm-0 ino=655211 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1318331411.299:6847): arch=c000003e syscall=42 success=no exit=-13 a0=1b a1=7f3fb8df30e0 a2=21 a3=0 items=0 ppid=1 pid=15840 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=872 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1318331411.300:6848): avc:  denied  { search } for  pid=15840 comm="ns-slapd" name="dbus" dev=dm-0 ino=655211 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1318331411.300:6848): arch=c000003e syscall=42 success=no exit=-13 a0=1b a1=7f3fb8df3120 a2=21 a3=0 items=0 ppid=1 pid=15840 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=872 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1318331411.313:6849): avc:  denied  { execute } for  pid=16098 comm="ns-slapd" name="unix_chkpwd" dev=dm-0 ino=534541 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1318331411.313:6849): arch=c000003e syscall=59 success=no exit=-13 a0=7f3fcc09dc98 a1=7f3fb8df33b0 a2=7f3fcc2a4368 a3=7 items=0 ppid=15818 pid=16098 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=872 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1318331411.326:6850): avc:  denied  { execute } for  pid=16099 comm="ns-slapd" name="unix_chkpwd" dev=dm-0 ino=534541 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1318331411.326:6850): arch=c000003e syscall=59 success=no exit=-13 a0=7f3fcc09dc98 a1=7f3fb8df3340 a2=7f3fcc2a4368 a3=7 items=0 ppid=15818 pid=16099 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=872 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1318331413.788:6851): avc:  denied  { create } for  pid=15840 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=netlink_audit_socket
type=SYSCALL msg=audit(1318331413.788:6851): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=9 a3=0 items=0 ppid=1 pid=15840 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=872 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1318331413.797:6852): avc:  denied  { create } for  pid=15840 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=netlink_audit_socket
type=SYSCALL msg=audit(1318331413.797:6852): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=9 a3=7f3fa00000f8 items=0 ppid=1 pid=15840 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=872 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)
Comment 1 Nathan Kinder 2011-10-11 17:36:02 UTC 
This is happening because ns-slapd calls into PAM.  At a minimum, I would guess we need the following policy:

auth_use_pam(dirsrv_t)

Sankar - I would like to get access to your test system so I can build a custom policy module that adds the above rule.  We can then see if it clears up all of the AVCs that you are seeing so we know what the proper fix is.
Comment 2 Nathan Kinder 2011-10-11 19:52:24 UTC 
I tested a custom policy module with only the rule from comment#1, and it seems to take care of all of the AVCs that occur when using the RHDS PAM Pass-through plug-in.  We should get the dirsrv policy updated with this additional rule/macro.
Comment 3 Miroslav Grepl 2011-10-12 18:16:05 UTC 
Fixed in selinux-policy-3.7.19-116.el6
Comment 4 Miroslav Grepl 2011-10-13 08:08:54 UTC 
Could we get QA ack?
Comment 9 Sankar Ramalingam 2011-11-09 15:48:39 UTC 
/usr/lib64/mozldap/ldapsearch -h localhost -D "uid=staticua,ou=People,dc=pamexample,dc=com" -w "dbyers1" -p 39641 -s base -b "uid=staticua,ou=People,dc=pamexample,dc=com" objectclass=* 
version: 1
dn: uid=staticua,ou=People,dc=pamexample,dc=com
cn: Test user
sn: Astaticua
givenName: Fstaticua
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: usera475
uid: staticua
mail: usera
telephoneNumber: +1 408 555 9133
facsimileTelephoneNumber: +1 408 555 8433
roomNumber: 8217
manager: uid=dmiller,ou=People,dc=pamexample,dc=com
[root@weelie ~]# getenforce 
Enforcing


Hence this bug can be marked as verified.
Comment 10 errata-xmlrpc 2011-12-06 10:19:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html