Bug 234781 - [LSPP] incorrect information in pam_selinux audit record
[LSPP] incorrect information in pam_selinux audit record
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-01 18:55 EDT by Linda Knippers
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version: RHSA-2007-0555
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-07 10:40:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Linda Knippers 2007-04-01 18:55:07 EDT
Description of problem:
When login is configured to use pam_selinux and a user attempts to log
in with a level that's not valid for the user, the audit record shows
that the login failed but doesn't give the right context information.

Version-Release number of selected component (if applicable):
pam-0.99.6.2-3.18.el5 from Steve's repo

How reproducible:
very

Steps to Reproduce:
1. Configure a system for lspp with login configured to use pam_selinux
2. Attempt to log in with a different context, choosing a level that isn't
allowed
3. compare the audit record with the information in /var/log/secure (debug)
The selected-context is the same as the default context, rather than what
the user actually selected.  
  
Actual results:
type=USER_ROLE_CHANGE msg=audit(1175466155.732:3890): user pid=3671 uid=0
auid=508 subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 msg='pam:
default-context=staff_u:sysadm_r:sysadm_t:s0
selected-context=staff_u:sysadm_r:sysadm_t:s0: exe="/bin/login" (hostname=?,
addr=?, terminal=pts/1 res=failed)'

Expected results:
In my test case, the selected context should have been s15 instead
of s0.


Additional info:
Here's the information from /var/log/secure that shows the selected
context.

Apr  1 18:22:35 scrod login: pam_selinux(login:session): Username= testuser
SELinux User = staff_u Level= s0
Apr  1 18:22:35 scrod login: pam_selinux(login:session): Would you like to enter
a different role or level? Y
Apr  1 18:22:35 scrod login: pam_selinux(login:session): role:
Apr  1 18:22:35 scrod login: pam_selinux(login:session): level: SystemHigh
Apr  1 18:22:35 scrod login: pam_selinux(login:session): Selected Security
Context staff_u:sysadm_r:sysadm_t:SystemHigh
Apr  1 18:22:35 scrod login: pam_selinux(login:session): Checking if
staff_u:sysadm_r:sysadm_t:SystemHigh mls range valid for 
staff_u:sysadm_r:sysadm_t:SystemLow
Apr  1 18:22:35 scrod login: pam_selinux(login:session): Security context
staff_u:sysadm_r:sysadm_t:SystemLow is not allowed for
staff_u:sysadm_r:sysadm_t:SystemHigh
Apr  1 18:22:35 scrod login: pam_selinux(login:session): Unable to get valid
context for testuser
Apr  1 18:22:35 scrod login: pam_namespace(login:session): open_session - start
Comment 1 RHEL Product and Program Management 2007-04-02 03:23:24 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 2 Linda Knippers 2007-04-02 09:21:53 EDT
According to our LSPP evaluator, this bug does not block the evaluation.
It would be nice if it was fixed though.
Comment 3 George C. Wilson 2007-04-02 16:28:27 EDT
Not necessary for LSPP but good to fix.
Comment 5 Tomas Mraz 2007-04-03 12:33:27 EDT
pam-0.99.6.2-19.el5 should improve this.
Comment 6 Linda Knippers 2007-04-03 13:14:11 EDT
I retested with pam-0.99.6.2-19.el5 and it seems to solve the problem.
Thanks.
Comment 10 errata-xmlrpc 2007-11-07 10:40:30 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0555.html

Note You need to log in before you can comment on or make changes to this bug.