Bug 234781 - [LSPP] incorrect information in pam_selinux audit record
Summary: [LSPP] incorrect information in pam_selinux audit record
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam
Version: 5.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Tomas Mraz
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-04-01 22:55 UTC by Linda Knippers
Modified: 2007-11-30 22:07 UTC (History)
3 users (show)

Fixed In Version: RHSA-2007-0555
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-11-07 15:40:30 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0555 0 normal SHIPPED_LIVE Moderate: pam security, bug fix, and enhancement update 2007-11-07 16:22:23 UTC

Description Linda Knippers 2007-04-01 22:55:07 UTC
Description of problem:
When login is configured to use pam_selinux and a user attempts to log
in with a level that's not valid for the user, the audit record shows
that the login failed but doesn't give the right context information.

Version-Release number of selected component (if applicable):
pam-0.99.6.2-3.18.el5 from Steve's repo

How reproducible:
very

Steps to Reproduce:
1. Configure a system for lspp with login configured to use pam_selinux
2. Attempt to log in with a different context, choosing a level that isn't
allowed
3. compare the audit record with the information in /var/log/secure (debug)
The selected-context is the same as the default context, rather than what
the user actually selected.  
  
Actual results:
type=USER_ROLE_CHANGE msg=audit(1175466155.732:3890): user pid=3671 uid=0
auid=508 subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 msg='pam:
default-context=staff_u:sysadm_r:sysadm_t:s0
selected-context=staff_u:sysadm_r:sysadm_t:s0: exe="/bin/login" (hostname=?,
addr=?, terminal=pts/1 res=failed)'

Expected results:
In my test case, the selected context should have been s15 instead
of s0.


Additional info:
Here's the information from /var/log/secure that shows the selected
context.

Apr  1 18:22:35 scrod login: pam_selinux(login:session): Username= testuser
SELinux User = staff_u Level= s0
Apr  1 18:22:35 scrod login: pam_selinux(login:session): Would you like to enter
a different role or level? Y
Apr  1 18:22:35 scrod login: pam_selinux(login:session): role:
Apr  1 18:22:35 scrod login: pam_selinux(login:session): level: SystemHigh
Apr  1 18:22:35 scrod login: pam_selinux(login:session): Selected Security
Context staff_u:sysadm_r:sysadm_t:SystemHigh
Apr  1 18:22:35 scrod login: pam_selinux(login:session): Checking if
staff_u:sysadm_r:sysadm_t:SystemHigh mls range valid for 
staff_u:sysadm_r:sysadm_t:SystemLow
Apr  1 18:22:35 scrod login: pam_selinux(login:session): Security context
staff_u:sysadm_r:sysadm_t:SystemLow is not allowed for
staff_u:sysadm_r:sysadm_t:SystemHigh
Apr  1 18:22:35 scrod login: pam_selinux(login:session): Unable to get valid
context for testuser
Apr  1 18:22:35 scrod login: pam_namespace(login:session): open_session - start

Comment 1 RHEL Program Management 2007-04-02 07:23:24 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 2 Linda Knippers 2007-04-02 13:21:53 UTC
According to our LSPP evaluator, this bug does not block the evaluation.
It would be nice if it was fixed though.

Comment 3 George C. Wilson 2007-04-02 20:28:27 UTC
Not necessary for LSPP but good to fix.

Comment 5 Tomas Mraz 2007-04-03 16:33:27 UTC
pam-0.99.6.2-19.el5 should improve this.


Comment 6 Linda Knippers 2007-04-03 17:14:11 UTC
I retested with pam-0.99.6.2-19.el5 and it seems to solve the problem.
Thanks.

Comment 10 errata-xmlrpc 2007-11-07 15:40:30 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0555.html



Note You need to log in before you can comment on or make changes to this bug.