Description of problem: I wanted to try a PAM-based authentication in MariaDB 10.0.15. For that, /etc/my.cnf.d/server.cnf needs this line: [mysqld] plugin-load=auth_pam.so Then a user must be created as: create user myuser identified via pam using 'pam-file'; where "pam-file" must be in /etc/pam.d. I get this error when trying to create the user: ERROR 1524 (HY000): Plugin 'pam' is not loaded Indeed, manually trying to load the plugin throws an error (the same error without the SQL error code appears in mariadb.log, too): MariaDB [(none)]> INSTALL SONAME 'auth_pam'; ERROR 1126 (HY000): Can't open shared library '/usr/lib/mysql/plugin/auth_pam.so' (errno: 2, cannot open shared object file: No such file or directory) # ls /usr/lib*/mysql/plugin/auth_pam.so /usr/lib64/mysql/plugin/auth_pam.so As expected, the plugin under /usr/lib64/mysql/plugin since the server is 64-bit. Version-Release number of selected component (if applicable): mariadb-10.0.15-4.fc21.x86_64 How reproducible: Always. Steps to Reproduce: 1. Start the MariaDB server 2. Add the necessary plugin to server.cnf or my.cnf 3. Try to create a user authenticated via PAM in mysql Actual results: Plugin cannot be loaded Expected results: Plugin loaded successfully Additional info:
After symlinking /usr/lib64/mysql/plugin/auth_pam.so at the currently expected place, the plugin loads. Apparently, I need to enter an empty password for the mysql SQL terminal to get the PAM authentication activated: $ mysql -p Enter password: [mariadb] Password: <Now enter your own Linux pasxsword> ERROR 1045 (28000): Access denied for user 'zozo'@'localhost' (using password: NO) This access denied problem comes from SELinux. The following denials are logged for /usr/libexec/mysqld: SELinux is preventing /usr/libexec/mysqld from execute access on the file /usr/sbin/unix_chkpwd. SELinux is preventing /usr/libexec/mysqld from create access on the netlink_audit_socket Unknown. SELinux is preventing /usr/libexec/mysqld from 'read, open' accesses on the file /usr/sbin/unix_chkpwd. SELinux is preventing /usr/libexec/mysqld from execute_no_trans access on the file /usr/sbin/unix_chkpwd. SELinux is preventing /usr/libexec/mysqld from connectto access on the unix_stream_socket /run/dbus/system_bus_socket.
Created attachment 995090 [details] 4th attempt for audit2allow This fixes every SELinux denials against MariaDB trying to authenticate a user via PAM.
(In reply to Zoltan Boszormenyi from comment #0) > where "pam-file" must be in /etc/pam.d. What pam modules do you use in that file (what is content of that file)? > I get this error when trying to create the user: > > ERROR 1524 (HY000): Plugin 'pam' is not loaded > > Indeed, manually trying to load the plugin throws an error (the same error > without the SQL error code appears in mariadb.log, too): > > MariaDB [(none)]> INSTALL SONAME 'auth_pam'; > ERROR 1126 (HY000): Can't open shared library > '/usr/lib/mysql/plugin/auth_pam.so' (errno: 2, cannot open shared object > file: No such file or directory) This is weird, haven't you change the plugindir variable by any chance? > # ls /usr/lib*/mysql/plugin/auth_pam.so > /usr/lib64/mysql/plugin/auth_pam.so > > As expected, the plugin under /usr/lib64/mysql/plugin since the server is > 64-bit. Exactly, I don't have an idea why your daemon looks into /usr/lib, it works fine to me with mariadb-server-10.0.17-1.fc21.x86_64. (In reply to Zoltan Boszormenyi from comment #1) > Apparently, I need to enter an empty password for the mysql SQL terminal to > get the PAM authentication activated: > > $ mysql -p > Enter password: > [mariadb] Password: <Now enter your own Linux pasxsword> > ERROR 1045 (28000): Access denied for user 'zozo'@'localhost' (using > password: NO) Well, first, you need to realize that the daemon runs as mysql user and so it is not able to access /etc/shadow. I've managed to get it working by not using /etc/shadow for a testing user. > This access denied problem comes from SELinux. The following denials are > logged for /usr/libexec/mysqld: > > SELinux is preventing /usr/libexec/mysqld from execute access on the file > /usr/sbin/unix_chkpwd. > SELinux is preventing /usr/libexec/mysqld from create access on the > netlink_audit_socket Unknown. > SELinux is preventing /usr/libexec/mysqld from 'read, open' accesses on the > file /usr/sbin/unix_chkpwd. > SELinux is preventing /usr/libexec/mysqld from execute_no_trans access on > the file /usr/sbin/unix_chkpwd. > SELinux is preventing /usr/libexec/mysqld from connectto access on the > unix_stream_socket /run/dbus/system_bus_socket. Well, after I got around the /etc/shadow I also saw selinux issues, but quite different ones (see the policy file attached later).
Created attachment 1001036 [details] selinux policy for mariadb that fixes hhorak's use case
These are my steps to reproduce: #> cat >/etc/pam.d/mysql <<EOF auth required pam_unix.so account required pam_unix.so EOF #> echo 'testusr:$6$ThDum2kp$Qkwr/72qEalUsqCdM.SsjbJJnnX7OCxHnMgjEhAq4rTmeXwXW0dLWxDcCkoVRS8GyNZgIHtaEReJaUK4hdNMV/:13306:13306::/home/testusr:/bin/bash' >>/etc/passwd #> systemctl start mariadb MariaDB [(none)]> install plugin pam soname 'auth_pam.so'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> create user testusr@localhost identified via pam; Query OK, 0 rows affected (0.00 sec) #> mysql -u testusr (enter password 'abcdef') This works with SELinux in permissive mode, but there are the following AVCs (some seen only after 'dontaudit' disabled): type=AVC msg=audit(1426173718.952:17434): avc: denied { create } for pid=5877 comm="mysqld" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=netlink_audit_socket permissive=1 type=AVC msg=audit(1426173718.952:17435): avc: denied { write } for pid=5877 comm="mysqld" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=netlink_audit_socket permissive=1 type=AVC msg=audit(1426173718.952:17436): avc: denied { nlmsg_relay } for pid=5877 comm="mysqld" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=netlink_audit_socket permissive=1 type=AVC msg=audit(1426173718.952:17437): avc: denied { read } for pid=5877 comm="mysqld" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=netlink_audit_socket permissive=1
(In reply to Honza Horak from comment #3) > (In reply to Zoltan Boszormenyi from comment #0) > > where "pam-file" must be in /etc/pam.d. > > What pam modules do you use in that file (what is content of that file)? > > > I get this error when trying to create the user: > > > > ERROR 1524 (HY000): Plugin 'pam' is not loaded > > > > Indeed, manually trying to load the plugin throws an error (the same error > > without the SQL error code appears in mariadb.log, too): > > > > MariaDB [(none)]> INSTALL SONAME 'auth_pam'; > > ERROR 1126 (HY000): Can't open shared library > > '/usr/lib/mysql/plugin/auth_pam.so' (errno: 2, cannot open shared object > > file: No such file or directory) > > This is weird, haven't you change the plugindir variable by any chance? Not that I know of. [zozo@localhost etc]$ pwd /etc [zozo@localhost etc]$ grep plugin my.cnf [zozo@localhost etc]$ cd my.cnf.d/ [zozo@localhost my.cnf.d]$ grep plugin * server.cnf:plugin-load=auth_pam.so So, only the plugin-load clause is in server.cnf. > > > # ls /usr/lib*/mysql/plugin/auth_pam.so > > /usr/lib64/mysql/plugin/auth_pam.so > > > > As expected, the plugin under /usr/lib64/mysql/plugin since the server is > > 64-bit. > > Exactly, I don't have an idea why your daemon looks into /usr/lib, it works > fine to me with mariadb-server-10.0.17-1.fc21.x86_64. I'll try to upgrade, I am at mariadb-10.0.15-4.fc21.x86_64 > > (In reply to Zoltan Boszormenyi from comment #1) > > Apparently, I need to enter an empty password for the mysql SQL terminal to > > get the PAM authentication activated: > > > > $ mysql -p > > Enter password: > > [mariadb] Password: <Now enter your own Linux pasxsword> > > ERROR 1045 (28000): Access denied for user 'zozo'@'localhost' (using > > password: NO) > > Well, first, you need to realize that the daemon runs as mysql user and so > it is not able to access /etc/shadow. I've managed to get it working by not > using /etc/shadow for a testing user. > > > This access denied problem comes from SELinux. The following denials are > > logged for /usr/libexec/mysqld: > > > > SELinux is preventing /usr/libexec/mysqld from execute access on the file > > /usr/sbin/unix_chkpwd. > > SELinux is preventing /usr/libexec/mysqld from create access on the > > netlink_audit_socket Unknown. > > SELinux is preventing /usr/libexec/mysqld from 'read, open' accesses on the > > file /usr/sbin/unix_chkpwd. > > SELinux is preventing /usr/libexec/mysqld from execute_no_trans access on > > the file /usr/sbin/unix_chkpwd. > > SELinux is preventing /usr/libexec/mysqld from connectto access on the > > unix_stream_socket /run/dbus/system_bus_socket. > > Well, after I got around the /etc/shadow I also saw selinux issues, but > quite different ones (see the policy file attached later).
commit 23eb37a5c3ca5aa498ea1b7b1131607a2d5185ae Author: Lukas Vrabec <lvrabec> Date: Mon Mar 23 14:52:42 2015 +0100 Allow mysqld_t to use pam. BZ(1196104)
selinux-policy-3.13.1-105.9.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.9.fc21
Package selinux-policy-3.13.1-105.9.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.9.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-4492/selinux-policy-3.13.1-105.9.fc21 then log in and leave karma (feedback).
selinux-policy-3.13.1-105.9.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.