RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1417908 - PAM-Yubico broken by SELinux
Summary: PAM-Yubico broken by SELinux
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: Unspecified
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-31 12:07 UTC by Fabio Alessandro Locati
Modified: 2023-09-14 03:52 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-02-28 19:27:51 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Fabio Alessandro Locati 2017-01-31 12:07:56 UTC 
Description of problem:
It seems like the 'authlogin_yubikey' sebool is not enough to make pam_yubico work properly.

Version-Release number of selected component (if applicable):
libyubikey-1.13-1.el7.x86_64
pam_yubico-2.23-1.el7.x86_64
selinux-policy-targeted-3.13.1-102.el7_3.13.noarch
libselinux-utils-2.5-6.el7.x86_64
libselinux-python-2.5-6.el7.x86_64
selinux-policy-3.13.1-102.el7_3.13.noarch
libselinux-2.5-6.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install and configure pam_yubico as per https://developers.yubico.com/yubico-pam/Yubikey_and_SSH_via_PAM.html
2. Enable the sebool authlogin_yubikey
3. Ensure that SELinux is enforced

Actual results:
Authntication error

Expected results:
Everything should work

Additional info:
1. If I put SELinux in permissive mode (and nothing else differs) it works
2. The following lines get logges in my /var/log/audit/audit.log:

type=AVC msg=audit(1485863541.944:4263609): avc:  denied  { name_connect } for  pid=15945 comm="sshd" dest=443 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openvpn_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1485863541.969:4263610): avc:  denied  { write } for  pid=15945 comm="sshd" name="nssdb" dev="xvda1" ino=8523394 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=dir
Comment 2 Milos Malik 2017-01-31 12:25:43 UTC 
Could you run following command on your machine?

# seinfo --portcon=443

The seinfo tool comes from setools-console package.

Based on the first AVC, the TCP port 443 is labeled openvpn_port_t on your machine. That's strange.

The second AVC needs to be fixed in selinux-policy:

# sesearch -s sshd_t -t cert_t -c dir -A -C -p write

# sesearch -s sshd_t -t cert_t -c dir -D -C -p write

#
Comment 4 Fabio Alessandro Locati 2017-01-31 14:03:12 UTC 
Thanks a lot Milos for the quick reply :).

> # seinfo --portcon=443

	portcon tcp 443 system_u:object_r:openvpn_port_t:s0
	portcon tcp 443 system_u:object_r:http_port_t:s0
	portcon tcp 1-511 system_u:object_r:reserved_port_t:s0
	portcon udp 1-511 system_u:object_r:reserved_port_t:s0

> Based on the first AVC, the TCP port 443 is labeled openvpn_port_t on your
> machine. That's strange.

Actually is not, I've openvpn tcp connection on port 443, and therefore it is tagged to make it work in that way. Would this be a problem? I'm not really sure why it should be trying to bind to port 443.

> The second AVC needs to be fixed in selinux-policy:
> 
> # sesearch -s sshd_t -t cert_t -c dir -A -C -p write
> # sesearch -s sshd_t -t cert_t -c dir -D -C -p write

Both commands return empty
Comment 5 Milos Malik 2017-02-01 09:32:12 UTC 
(In reply to Fabio Alessandro Locati from comment #4)

> Actually is not, I've openvpn tcp connection on port 443, and therefore it
> is tagged to make it work in that way. Would this be a problem?

I just didn't know why the TCP port 443 got such a label.

> I'm not
> really sure why it should be trying to bind to port 443.

Me neither.
Comment 6 Lukas Vrabec 2017-02-01 09:43:30 UTC 
Fabio, 
I would say that you have some issues with labeling. From comment#4, it's looks like you have tcp port 443 labeled as openvpn_port_t which is wrong.
Comment 7 Fabio Alessandro Locati 2017-02-01 10:22:32 UTC 
Thanks.
I've removed the openvpn_port_t tag:

	portcon tcp 443 system_u:object_r:http_port_t:s0
	portcon tcp 1-511 system_u:object_r:reserved_port_t:s0
	portcon udp 1-511 system_u:object_r:reserved_port_t:s0

And now that problem went away.

type=AVC msg=audit(1485943073.033:4411402): avc:  denied  { write } for  pid=5393 comm="sshd" name="nssdb" dev="xvda1" ino=8523394 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=dir

is still there.


I've created the following policy, which fixes it:

	policy_module(local_pam_yubikey, 1.0)

	gen_require(`
	  type sshd_t;
	  type cert_t;
	')

	allow sshd_t cert_t:dir write;

Thought I'm not very sure _why_ pam_yubikey is trying to write in the nssdb. A caching thing for certificate pinning, maybe?

Cheers,
Fale
Comment 10 Lukas Vrabec 2018-06-25 16:03:53 UTC 
Hi, 

Are you able to reproduce the issue? 

Lukas.
Comment 12 Orion Poplawski 2018-11-15 22:59:53 UTC 
I'm seeing the nssdb SELinux message as well with pam_yubico - though it doesn't appear to be affecting operation any for me.
Comment 13 Orion Poplawski 2018-11-15 23:02:01 UTC 
Just as a side note - I ended up using a proxy configuration going through port 8080.  I needed to allow sshd_t access to http_cache_port_t as well.  I'm not sure how common that will be though.
Comment 14 Zdenek Pytela 2019-02-28 19:27:51 UTC 
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.
Comment 15 Red Hat Bugzilla 2023-09-14 03:52:56 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days
Note You need to log in before you can comment on or make changes to this bug.