Bug 1253619 - pam_timestamp cannot create timestamp file [NEEDINFO]
pam_timestamp cannot create timestamp file
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pam (Show other bugs)
6.6
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-14 05:27 EDT by Dalibor Pospíšil
Modified: 2016-04-25 04:56 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1253632 (view as bug list)
Environment:
Last Closed: 2016-01-28 11:56:05 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
pkis: needinfo? (mgrepl)


Attachments (Terms of Use)

  None (edit)
Description Dalibor Pospíšil 2015-08-14 05:27:30 EDT
Description of problem:
pam_timestamp uses /var/run/sudo/user/ to store data. If the directory does not exist it tries to create it which fail. 
----
time->Fri Aug 14 11:11:58 2015
type=SYSCALL msg=audit(1439543518.250:373941): arch=c000003e syscall=83 success=yes exit=0 a0=7ffff4ed9e40 a1=1c0 a2=0 a3=4000 items=0 ppid=30139 pid=30282 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=37056 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1439543518.250:373941): avc:  denied  { create } for  pid=30282 comm="sshd" name="sudo" scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir
----
time->Fri Aug 14 11:11:58 2015
type=SYSCALL msg=audit(1439543518.252:373942): arch=c000003e syscall=94 success=yes exit=0 a0=7ffff4ed9e40 a1=0 a2=0 a3=4000 items=0 ppid=30139 pid=30282 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=37056 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1439543518.252:373942): avc:  denied  { setattr } for  pid=30282 comm="sshd" name="sudo" dev=dm-0 ino=134507 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=dir

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-279.el6.noarch
kernel-2.6.32-556.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. see liked test
Comment 1 Milos Malik 2015-08-14 05:36:23 EDT
Shouldn't it be using /var/db/sudo directory?
Comment 2 Dalibor Pospíšil 2015-08-14 06:56:10 EDT
(In reply to Milos Malik from comment #1)
> Shouldn't it be using /var/db/sudo directory?

According to man page it should be /var/run/sudo/..., see man pam_timestamp
Comment 3 Miroslav Grepl 2015-08-28 10:41:38 EDT
We have

type_transition sshd_t var_run_t : dir pam_var_run_t "sudo";

in RHEL-7. Unfortunatelly we don't have filename transitions rules in RHEL-6. We need to find a different way in RHEL-6.
Comment 5 RHEL Product and Program Management 2016-01-28 11:56:05 EST
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.
Comment 6 Patrik Kis 2016-01-29 07:18:03 EST
There is no way to fix it in selinux-policy?
Comment 7 Patrik Kis 2016-04-25 04:56:26 EDT
I think, it is fair to answer the question before clearing the needinfo flag.

The reason I was asking is, to see if there is no other way to fix this issue other than it is fixed in RHEL-7. This is clearly a non functioning solution, and if possible, it should be addressed.

Note You need to log in before you can comment on or make changes to this bug.