Red Hat Bugzilla – Bug 397131
SELinux blocks pam_ssh
Last modified: 2008-01-08 16:21:44 EST
Description of problem: The targetted SELinux policy on F8 blocks pam_ssh from working (was fine on F7). Version-Release number of selected component (if applicable): pam_ssh-1.92-2.fc8 How reproducible: Always Steps to Reproduce: 1. Log in Actual results: SSH-agent not running, keys not unlocked. AVC denials in /var/log/audit Expected results: SSH-agent running and keys unlocked. No AVC denials. Additional info: I've developed a policy module for pam_ssh to give it the required SELinux permissions. See attached.
Created attachment 267751 [details] spec changes for policy module
Created attachment 267761 [details] source for policy module
I sort of understand the spec file patch, but I don't understand at all the selinux policy file. To avoid me losing time in verifying your credentials could it be possible for you to commit? I can rebuild and go through bodhi myself (now that there is the bodhi command line interface), or you can also do it if want to, just tell me. Will such change need to be done in EPEL (EL-5) too?
Sure, no problem. You should be aware I'm no selinux expert though - this is my first policy module. I 'wrote' it mostly by running audit2allow on the AVC denials in the audit log file. I tried to get some validation from the fedora-selinux-list, but unfortunately no-one responded: https://www.redhat.com/archives/fedora-selinux-list/2007-November/msg00077.html I'll briefly run through my understanding of what it does just so you know: allow local_login_t ssh_agent_exec_t:file { read execute execute_no_trans }; - enable read and execute of the ssh-agent binary allow local_login_t user_home_ssh_t:file { read getattr }; - enable read/stat of users' ssh key files allow local_login_t var_run_t:dir { write add_name }; - enable writing of /var/run directory and creating a new entry allow local_login_t var_run_t:file { create read getattr }; - enable writing to and creating a file in /var/run allow local_login_t local_login_tmp_t:sock_file create; - enable creating a socket in /tmp (used for communication with ssh-agent) local_login_t is for console login. Then this is repeated for ssh login and gdm/kdm/xdm login.
Committed and tagged pam_ssh-1_92-3_fc8 Built: http://koji.fedoraproject.org/koji/taskinfo?taskID=256232 Committed and tagged pam_ssh-1_92-3_fc9 Built: http://koji.fedoraproject.org/koji/taskinfo?taskID=256244 Regarding EPEL-5, I think that was branched from FC6? Unless RH tighten the policy in RHEL5 it won't be necessary, and I doubt they'll do that. Presumably will be necessary for RHEL6 but that will be branched from F9/F10?
pam_ssh-1.92-3.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update pam_ssh'
*** Bug 381811 has been marked as a duplicate of this bug. ***
No most of the policy problems above are caused by putting pam_ssh in the wrong place in the pam.d files. session optional pam_ssh.so should not be in the sysatem_auth file. It should be in all of the login pam.d files after the pam_selinux.so files. This will cause ssh-agent to run under the user context and to create the proper files with the proper context. I have updated selinux policy to allow this to work.
If one want to use session optional pam_ssh.so in all the pam stacks, it should be in system-auth, though. Duplicating an entry in many files just renders system-auth unuseful. Maybe this points out a deficiency in the default pam configuration?
I don't have pam_ssh in system-auth (which would cause it to be used for a bunch of things I don't want my ssh key unlocked with), instead I have a system-auth-ssh which is used instead where appropriate. I take your point about putting pam_ssh after pam_selinux. Unfortunately pam has always been a black art to configure and dangerous when you get it wrong, with these extra requirements it's bordering on impossible. pam_selinux(8) doesn't really clear the confusion up either. I agree with Patrice that the whole point of system-auth is to centralise the config and make it easier to manage. It is also a shame that no-one responded to my fedora-selinux-list post: https://www.redhat.com/archives/fedora-selinux-list/2007-November/msg00077.html as this could have avoided wasting time and saved some confusion.
for comment #8 : > I have updated selinux policy to allow this to work. Does it mean that we can get rid of the recent SELinux addons for pam_ssh? (and add a comment somewhere about properly placing of pam_ssh.so after the pam_seliinux.so). for comment #9 : > If one want to use session optional pam_ssh.so in all the > pam stacks, it should be in system-auth, though. Duplicating > an entry in many files just renders system-auth unuseful. Actually, pam_ssh is useful for some kind of a "shell" service. Personally, I use pam_ssh for "login", "gdm" and "sshd" only, i.e. 3 services at all. I prefer even not to create a "system-auth-ssh", it is more easy to add one line in all 3 files, rather than create an additional file (and then add a line in those 3 files anyway). Thus IMHO pam_ssh.so is not suitable for the system-wide common auth pam config, it is mostly for particular services rather than for *all* the services.
(In reply to comment #11) > for comment #8 : > > > If one want to use session optional pam_ssh.so in all the > > pam stacks, it should be in system-auth, though. Duplicating > > an entry in many files just renders system-auth unuseful. > > Actually, pam_ssh is useful for some kind of a "shell" service. Personally, I > use pam_ssh for "login", "gdm" and "sshd" only, i.e. 3 services at all. I prefer > even not to create a "system-auth-ssh", it is more easy to add one line in all 3 > files, rather than create an additional file (and then add a line in those 3 > files anyway). > > Thus IMHO pam_ssh.so is not suitable for the system-wide common auth pam config, > it is mostly for particular services rather than for *all* the services. The current state of pam config seems to be quite a mess in fact. Not all relevant services have selinux and there should certainly be some factoring out of things that are done as user. Not the place here in any case. What is the selinux package having pam_ssh policy in and what version is it?
I get that error when updating in devel: Updating : selinux-policy-targeted ##################### [ 51/139] libsepol.print_missing_requirements: pam_ssh's global requirements were not met: type/attribute user_home_ssh_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! It may also be related with Bug 407891
> It may also be related with Bug 407891 Nope, since you do not use triggers, pam_ssh is not touched when you update selinux-policy-targeted . What if you install the previous version of pam_ssh (yet without SELinux addons) and try to update selinux-policy-targeted then?
I am still waiting for a definitive explanation of what package is needed for pam_ssh to properly function, when somebody has put pam_ssh at the right place (that is after pam_selinux, if I understand well).
Daniel?..
(In reply to comment #14) > > It may also be related with Bug 407891 > > Nope, since you do not use triggers, pam_ssh is not touched when you update > selinux-policy-targeted . > > What if you install the previous version of pam_ssh (yet without SELinux addons) > and try to update selinux-policy-targeted then? I haven't tried, but I have fixed Bug 407891. The error message is there on install: # rpm -Uvh i386/pam_ssh-1.92-5.fc9.i386.rpm Préparation... ########################################### [100%] 1:pam_ssh ########################################### [100%] libsepol.print_missing_requirements: pam_ssh's global requirements were not met: type/attribute user_home_ssh_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! However now, with pam_ssh already installed (or not), there is no pam_ssh related error message when installing selinux-policy-targeted: # yum install selinux-policy-targeted ... Installing: selinux-policy-targeted ######################### [1/1] /usr/sbin/semanage: range not supported on Non MLS machines /usr/sbin/semanage: Préfixe invalide guest /usr/sbin/semanage: Préfixe invalide xguest
As this has now been fixed directly in the targeted policy we should drop the semodule additions.
I have removed the selinux module stuff, and added a Conflicts: selinux-policy-targeted < 3.0.8-55 and built in devel. Does that seems right?
Yes, fine!
pam_ssh-1.92-6.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update pam_ssh'
It would be nice to have people using selinux test this update in testing (the last one, of course, pam_ssh-1.92-6.fc8).
pam_ssh-1.92-6.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.