Bug 1417908 - PAM-Yubico broken by SELinux [NEEDINFO]
Summary: PAM-Yubico broken by SELinux
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.3
Hardware: Unspecified
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-31 12:07 UTC by Fabio Alessandro Locati
Modified: 2019-02-28 19:27 UTC (History)
9 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2019-02-28 19:27:51 UTC
lvrabec: needinfo? (fale)

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Fabio Alessandro Locati 2017-01-31 12:07:56 UTC 
Description of problem:
It seems like the 'authlogin_yubikey' sebool is not enough to make pam_yubico work properly.

Version-Release number of selected component (if applicable):
libyubikey-1.13-1.el7.x86_64
pam_yubico-2.23-1.el7.x86_64
selinux-policy-targeted-3.13.1-102.el7_3.13.noarch
libselinux-utils-2.5-6.el7.x86_64
libselinux-python-2.5-6.el7.x86_64
selinux-policy-3.13.1-102.el7_3.13.noarch
libselinux-2.5-6.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install and configure pam_yubico as per https://developers.yubico.com/yubico-pam/Yubikey_and_SSH_via_PAM.html
2. Enable the sebool authlogin_yubikey
3. Ensure that SELinux is enforced

Actual results:
Authntication error

Expected results:
Everything should work

Additional info:
1. If I put SELinux in permissive mode (and nothing else differs) it works
2. The following lines get logges in my /var/log/audit/audit.log:

type=AVC msg=audit(1485863541.944:4263609): avc:  denied  { name_connect } for  pid=15945 comm="sshd" dest=443 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openvpn_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1485863541.969:4263610): avc:  denied  { write } for  pid=15945 comm="sshd" name="nssdb" dev="xvda1" ino=8523394 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=dir
Comment 2 Milos Malik 2017-01-31 12:25:43 UTC 
Could you run following command on your machine?

# seinfo --portcon=443

The seinfo tool comes from setools-console package.

Based on the first AVC, the TCP port 443 is labeled openvpn_port_t on your machine. That's strange.

The second AVC needs to be fixed in selinux-policy:

# sesearch -s sshd_t -t cert_t -c dir -A -C -p write

# sesearch -s sshd_t -t cert_t -c dir -D -C -p write

#
Comment 4 Fabio Alessandro Locati 2017-01-31 14:03:12 UTC 
Thanks a lot Milos for the quick reply :).

> # seinfo --portcon=443

	portcon tcp 443 system_u:object_r:openvpn_port_t:s0
	portcon tcp 443 system_u:object_r:http_port_t:s0
	portcon tcp 1-511 system_u:object_r:reserved_port_t:s0
	portcon udp 1-511 system_u:object_r:reserved_port_t:s0

> Based on the first AVC, the TCP port 443 is labeled openvpn_port_t on your
> machine. That's strange.

Actually is not, I've openvpn tcp connection on port 443, and therefore it is tagged to make it work in that way. Would this be a problem? I'm not really sure why it should be trying to bind to port 443.

> The second AVC needs to be fixed in selinux-policy:
> 
> # sesearch -s sshd_t -t cert_t -c dir -A -C -p write
> # sesearch -s sshd_t -t cert_t -c dir -D -C -p write

Both commands return empty
Comment 5 Milos Malik 2017-02-01 09:32:12 UTC 
(In reply to Fabio Alessandro Locati from comment #4)

> Actually is not, I've openvpn tcp connection on port 443, and therefore it
> is tagged to make it work in that way. Would this be a problem?

I just didn't know why the TCP port 443 got such a label.

> I'm not
> really sure why it should be trying to bind to port 443.

Me neither.
Comment 6 Lukas Vrabec 2017-02-01 09:43:30 UTC 
Fabio, 
I would say that you have some issues with labeling. From comment#4, it's looks like you have tcp port 443 labeled as openvpn_port_t which is wrong.
Comment 7 Fabio Alessandro Locati 2017-02-01 10:22:32 UTC 
Thanks.
I've removed the openvpn_port_t tag:

	portcon tcp 443 system_u:object_r:http_port_t:s0
	portcon tcp 1-511 system_u:object_r:reserved_port_t:s0
	portcon udp 1-511 system_u:object_r:reserved_port_t:s0

And now that problem went away.

type=AVC msg=audit(1485943073.033:4411402): avc:  denied  { write } for  pid=5393 comm="sshd" name="nssdb" dev="xvda1" ino=8523394 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=dir

is still there.


I've created the following policy, which fixes it:

	policy_module(local_pam_yubikey, 1.0)

	gen_require(`
	  type sshd_t;
	  type cert_t;
	')

	allow sshd_t cert_t:dir write;

Thought I'm not very sure _why_ pam_yubikey is trying to write in the nssdb. A caching thing for certificate pinning, maybe?

Cheers,
Fale
Comment 10 Lukas Vrabec 2018-06-25 16:03:53 UTC 
Hi, 

Are you able to reproduce the issue? 

Lukas.
Comment 12 Orion Poplawski 2018-11-15 22:59:53 UTC 
I'm seeing the nssdb SELinux message as well with pam_yubico - though it doesn't appear to be affecting operation any for me.
Comment 13 Orion Poplawski 2018-11-15 23:02:01 UTC 
Just as a side note - I ended up using a proxy configuration going through port 8080.  I needed to allow sshd_t access to http_cache_port_t as well.  I'm not sure how common that will be though.
Comment 14 Zdenek Pytela 2019-02-28 19:27:51 UTC 
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.
Note You need to log in before you can comment on or make changes to this bug.