Bug 1196104 - MariaDB auth_pam.so plugin or other auth plugins cannot be loaded on F21/x86_64
Summary: MariaDB auth_pam.so plugin or other auth plugins cannot be loaded on F21/x86_64
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 21
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1201413 1202042
TreeView+ depends on / blocked
 
Reported: 2015-02-25 10:16 UTC by Zoltan Boszormenyi
Modified: 2015-03-31 21:46 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.13.1-105.9.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1201413 (view as bug list)
Environment:
Last Closed: 2015-03-31 21:46:34 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
4th attempt for audit2allow (701 bytes, text/plain)
2015-02-25 10:37 UTC, Zoltan Boszormenyi
no flags Details
selinux policy for mariadb that fixes hhorak's use case (338 bytes, text/plain)
2015-03-12 15:41 UTC, Honza Horak
no flags Details

Description Zoltan Boszormenyi 2015-02-25 10:16:17 UTC
Description of problem:

I wanted to try a PAM-based authentication in MariaDB 10.0.15. For that, /etc/my.cnf.d/server.cnf needs this line:

[mysqld]
plugin-load=auth_pam.so

Then a user must be created as:

create user myuser identified via pam using 'pam-file';

where "pam-file" must be in /etc/pam.d.

I get this error when trying to create the user:

ERROR 1524 (HY000): Plugin 'pam' is not loaded

Indeed, manually trying to load the plugin throws an error (the same error without the SQL error code appears in mariadb.log, too):

MariaDB [(none)]> INSTALL SONAME 'auth_pam';
ERROR 1126 (HY000): Can't open shared library '/usr/lib/mysql/plugin/auth_pam.so' (errno: 2, cannot open shared object file: No such file or directory)

# ls /usr/lib*/mysql/plugin/auth_pam.so
/usr/lib64/mysql/plugin/auth_pam.so

As expected, the plugin under /usr/lib64/mysql/plugin since the server is 64-bit.

Version-Release number of selected component (if applicable):

mariadb-10.0.15-4.fc21.x86_64

How reproducible:

Always.

Steps to Reproduce:
1. Start the MariaDB server
2. Add the necessary plugin to server.cnf or my.cnf
3. Try to create a user authenticated via PAM in mysql

Actual results:

Plugin cannot be loaded

Expected results:

Plugin loaded successfully

Additional info:

Comment 1 Zoltan Boszormenyi 2015-02-25 10:34:13 UTC
After symlinking /usr/lib64/mysql/plugin/auth_pam.so at the currently expected place, the plugin loads.

Apparently, I need to enter an empty password for the mysql SQL terminal to get the PAM authentication activated:

$ mysql -p 
Enter password: 
[mariadb] Password:  <Now enter your own Linux pasxsword>
ERROR 1045 (28000): Access denied for user 'zozo'@'localhost' (using password: NO)

This access denied problem comes from SELinux. The following denials are logged for /usr/libexec/mysqld:

SELinux is preventing /usr/libexec/mysqld from execute access on the file /usr/sbin/unix_chkpwd.
SELinux is preventing /usr/libexec/mysqld from create access on the netlink_audit_socket Unknown.
SELinux is preventing /usr/libexec/mysqld from 'read, open' accesses on the file /usr/sbin/unix_chkpwd.
SELinux is preventing /usr/libexec/mysqld from execute_no_trans access on the file /usr/sbin/unix_chkpwd.
SELinux is preventing /usr/libexec/mysqld from connectto access on the unix_stream_socket /run/dbus/system_bus_socket.

Comment 2 Zoltan Boszormenyi 2015-02-25 10:37:25 UTC
Created attachment 995090 [details]
4th attempt for audit2allow

This fixes every SELinux denials against MariaDB trying to authenticate a user via PAM.

Comment 3 Honza Horak 2015-03-12 15:40:12 UTC
(In reply to Zoltan Boszormenyi from comment #0)
> where "pam-file" must be in /etc/pam.d.

What pam modules do you use in that file (what is content of that file)?

> I get this error when trying to create the user:
> 
> ERROR 1524 (HY000): Plugin 'pam' is not loaded
> 
> Indeed, manually trying to load the plugin throws an error (the same error
> without the SQL error code appears in mariadb.log, too):
> 
> MariaDB [(none)]> INSTALL SONAME 'auth_pam';
> ERROR 1126 (HY000): Can't open shared library
> '/usr/lib/mysql/plugin/auth_pam.so' (errno: 2, cannot open shared object
> file: No such file or directory)

This is weird, haven't you change the plugindir variable by any chance?

> # ls /usr/lib*/mysql/plugin/auth_pam.so
> /usr/lib64/mysql/plugin/auth_pam.so
> 
> As expected, the plugin under /usr/lib64/mysql/plugin since the server is
> 64-bit.

Exactly, I don't have an idea why your daemon looks into /usr/lib, it works fine to me with mariadb-server-10.0.17-1.fc21.x86_64.

(In reply to Zoltan Boszormenyi from comment #1)
> Apparently, I need to enter an empty password for the mysql SQL terminal to
> get the PAM authentication activated:
> 
> $ mysql -p 
> Enter password: 
> [mariadb] Password:  <Now enter your own Linux pasxsword>
> ERROR 1045 (28000): Access denied for user 'zozo'@'localhost' (using
> password: NO)

Well, first, you need to realize that the daemon runs as mysql user and so it is not able to access /etc/shadow. I've managed to get it working by not using /etc/shadow for a testing user.

> This access denied problem comes from SELinux. The following denials are
> logged for /usr/libexec/mysqld:
> 
> SELinux is preventing /usr/libexec/mysqld from execute access on the file
> /usr/sbin/unix_chkpwd.
> SELinux is preventing /usr/libexec/mysqld from create access on the
> netlink_audit_socket Unknown.
> SELinux is preventing /usr/libexec/mysqld from 'read, open' accesses on the
> file /usr/sbin/unix_chkpwd.
> SELinux is preventing /usr/libexec/mysqld from execute_no_trans access on
> the file /usr/sbin/unix_chkpwd.
> SELinux is preventing /usr/libexec/mysqld from connectto access on the
> unix_stream_socket /run/dbus/system_bus_socket.

Well, after I got around the /etc/shadow I also saw selinux issues, but quite different ones (see the policy file attached later).

Comment 4 Honza Horak 2015-03-12 15:41:00 UTC
Created attachment 1001036 [details]
selinux policy for mariadb that fixes hhorak's use case

Comment 5 Honza Horak 2015-03-12 16:16:03 UTC
These are my steps to reproduce:

#> cat >/etc/pam.d/mysql <<EOF
auth            required        pam_unix.so
account         required        pam_unix.so
EOF

#> echo 'testusr:$6$ThDum2kp$Qkwr/72qEalUsqCdM.SsjbJJnnX7OCxHnMgjEhAq4rTmeXwXW0dLWxDcCkoVRS8GyNZgIHtaEReJaUK4hdNMV/:13306:13306::/home/testusr:/bin/bash' >>/etc/passwd

#> systemctl start mariadb

MariaDB [(none)]> install plugin pam soname 'auth_pam.so';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> create user testusr@localhost identified via pam;
Query OK, 0 rows affected (0.00 sec)

#> mysql -u testusr
(enter password 'abcdef')

This works with SELinux in permissive mode, but there are the following AVCs (some seen only after 'dontaudit' disabled):
type=AVC msg=audit(1426173718.952:17434): avc:  denied  { create } for  pid=5877 comm="mysqld" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1426173718.952:17435): avc:  denied  { write } for  pid=5877 comm="mysqld" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1426173718.952:17436): avc:  denied  { nlmsg_relay } for  pid=5877 comm="mysqld" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1426173718.952:17437): avc:  denied  { read } for  pid=5877 comm="mysqld" scontext=system_u:system_r:mysqld_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=netlink_audit_socket permissive=1

Comment 6 Zoltan Boszormenyi 2015-03-13 08:35:00 UTC
(In reply to Honza Horak from comment #3)
> (In reply to Zoltan Boszormenyi from comment #0)
> > where "pam-file" must be in /etc/pam.d.
> 
> What pam modules do you use in that file (what is content of that file)?
> 
> > I get this error when trying to create the user:
> > 
> > ERROR 1524 (HY000): Plugin 'pam' is not loaded
> > 
> > Indeed, manually trying to load the plugin throws an error (the same error
> > without the SQL error code appears in mariadb.log, too):
> > 
> > MariaDB [(none)]> INSTALL SONAME 'auth_pam';
> > ERROR 1126 (HY000): Can't open shared library
> > '/usr/lib/mysql/plugin/auth_pam.so' (errno: 2, cannot open shared object
> > file: No such file or directory)
> 
> This is weird, haven't you change the plugindir variable by any chance?

Not that I know of.

[zozo@localhost etc]$ pwd
/etc
[zozo@localhost etc]$ grep plugin my.cnf
[zozo@localhost etc]$ cd my.cnf.d/
[zozo@localhost my.cnf.d]$ grep plugin *
server.cnf:plugin-load=auth_pam.so

So, only the plugin-load clause is in server.cnf.

> 
> > # ls /usr/lib*/mysql/plugin/auth_pam.so
> > /usr/lib64/mysql/plugin/auth_pam.so
> > 
> > As expected, the plugin under /usr/lib64/mysql/plugin since the server is
> > 64-bit.
> 
> Exactly, I don't have an idea why your daemon looks into /usr/lib, it works
> fine to me with mariadb-server-10.0.17-1.fc21.x86_64.

I'll try to upgrade, I am at mariadb-10.0.15-4.fc21.x86_64

> 
> (In reply to Zoltan Boszormenyi from comment #1)
> > Apparently, I need to enter an empty password for the mysql SQL terminal to
> > get the PAM authentication activated:
> > 
> > $ mysql -p 
> > Enter password: 
> > [mariadb] Password:  <Now enter your own Linux pasxsword>
> > ERROR 1045 (28000): Access denied for user 'zozo'@'localhost' (using
> > password: NO)
> 
> Well, first, you need to realize that the daemon runs as mysql user and so
> it is not able to access /etc/shadow. I've managed to get it working by not
> using /etc/shadow for a testing user.
> 
> > This access denied problem comes from SELinux. The following denials are
> > logged for /usr/libexec/mysqld:
> > 
> > SELinux is preventing /usr/libexec/mysqld from execute access on the file
> > /usr/sbin/unix_chkpwd.
> > SELinux is preventing /usr/libexec/mysqld from create access on the
> > netlink_audit_socket Unknown.
> > SELinux is preventing /usr/libexec/mysqld from 'read, open' accesses on the
> > file /usr/sbin/unix_chkpwd.
> > SELinux is preventing /usr/libexec/mysqld from execute_no_trans access on
> > the file /usr/sbin/unix_chkpwd.
> > SELinux is preventing /usr/libexec/mysqld from connectto access on the
> > unix_stream_socket /run/dbus/system_bus_socket.
> 
> Well, after I got around the /etc/shadow I also saw selinux issues, but
> quite different ones (see the policy file attached later).

Comment 7 Lukas Vrabec 2015-03-23 14:10:45 UTC
commit 23eb37a5c3ca5aa498ea1b7b1131607a2d5185ae
Author: Lukas Vrabec <lvrabec>
Date:   Mon Mar 23 14:52:42 2015 +0100

    Allow mysqld_t to use pam. BZ(1196104)

Comment 8 Fedora Update System 2015-03-23 16:47:57 UTC
selinux-policy-3.13.1-105.9.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.9.fc21

Comment 9 Fedora Update System 2015-03-26 21:28:11 UTC
Package selinux-policy-3.13.1-105.9.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.9.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-4492/selinux-policy-3.13.1-105.9.fc21
then log in and leave karma (feedback).

Comment 10 Fedora Update System 2015-03-31 21:46:34 UTC
selinux-policy-3.13.1-105.9.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.