Bug 397131 - SELinux blocks pam_ssh
Summary: SELinux blocks pam_ssh
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pam_ssh
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Patrice Dumas
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 381811 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-11-23 17:58 UTC by Martin Ebourne
Modified: 2008-01-08 21:21 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-01-08 21:21:44 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
spec changes for policy module (1.91 KB, patch)
2007-11-23 17:58 UTC, Martin Ebourne
no flags Details | Diff
source for policy module (1.15 KB, text/plain)
2007-11-23 18:00 UTC, Martin Ebourne
no flags Details

Description Martin Ebourne 2007-11-23 17:58:14 UTC
Description of problem:
The targetted SELinux policy on F8 blocks pam_ssh from working (was fine on F7).

Version-Release number of selected component (if applicable):
pam_ssh-1.92-2.fc8

How reproducible:
Always

Steps to Reproduce:
1. Log in

Actual results:
SSH-agent not running, keys not unlocked. AVC denials in /var/log/audit

Expected results:
SSH-agent running and keys unlocked. No AVC denials.

Additional info:
I've developed a policy module for pam_ssh to give it the required SELinux
permissions. See attached.

Comment 1 Martin Ebourne 2007-11-23 17:58:14 UTC
Created attachment 267751 [details]
spec changes for policy module

Comment 2 Martin Ebourne 2007-11-23 18:00:30 UTC
Created attachment 267761 [details]
source for policy module

Comment 3 Patrice Dumas 2007-11-23 18:47:36 UTC
I sort of understand the spec file patch, but I don't understand at all
the selinux policy file. To avoid me losing time in verifying your 
credentials could it be possible for you to commit?

I can rebuild and go through bodhi myself (now that there is the bodhi 
command line interface), or you can also do it if want to, just tell
me.

Will such change need to be done in EPEL (EL-5) too?

Comment 4 Martin Ebourne 2007-11-23 23:57:21 UTC
Sure, no problem. You should be aware I'm no selinux expert though - this is my
first policy module. I 'wrote' it mostly by running audit2allow on the AVC
denials in the audit log file.

I tried to get some validation from the fedora-selinux-list, but unfortunately
no-one responded:
https://www.redhat.com/archives/fedora-selinux-list/2007-November/msg00077.html

I'll briefly run through my understanding of what it does just so you know:

allow local_login_t ssh_agent_exec_t:file { read execute execute_no_trans };
- enable read and execute of the ssh-agent binary

allow local_login_t user_home_ssh_t:file { read getattr };
- enable read/stat of users' ssh key files

allow local_login_t var_run_t:dir { write add_name };
- enable writing of /var/run directory and creating a new entry

allow local_login_t var_run_t:file { create read getattr };
- enable writing to and creating a file in /var/run

allow local_login_t local_login_tmp_t:sock_file create;
- enable creating a socket in /tmp (used for communication with ssh-agent)

local_login_t is for console login. Then this is repeated for ssh login and
gdm/kdm/xdm login.

Comment 5 Martin Ebourne 2007-11-24 00:05:43 UTC
Committed and tagged pam_ssh-1_92-3_fc8
Built: http://koji.fedoraproject.org/koji/taskinfo?taskID=256232

Committed and tagged pam_ssh-1_92-3_fc9
Built: http://koji.fedoraproject.org/koji/taskinfo?taskID=256244

Regarding EPEL-5, I think that was branched from FC6? Unless RH tighten the
policy in RHEL5 it won't be necessary, and I doubt they'll do that. Presumably
will be necessary for RHEL6 but that will be branched from F9/F10?

Comment 6 Fedora Update System 2007-11-26 18:38:58 UTC
pam_ssh-1.92-3.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update pam_ssh'

Comment 7 Patrice Dumas 2007-11-26 19:08:41 UTC
*** Bug 381811 has been marked as a duplicate of this bug. ***

Comment 8 Daniel Walsh 2007-11-27 03:27:59 UTC
No most of the policy problems above are caused by putting pam_ssh in the wrong
place in the pam.d files.

session optional pam_ssh.so 

should not be in the sysatem_auth file.  It should be in all of the login pam.d
files after the pam_selinux.so files.

This will cause ssh-agent to run under the  user context and to create the
proper files with the proper context.  I have updated selinux policy to allow
this to work.

Comment 9 Patrice Dumas 2007-11-27 08:50:31 UTC
If one want to use session optional pam_ssh.so in all the
pam stacks, it should be in system-auth, though. Duplicating
an entry in many files just renders system-auth unuseful.
Maybe this points out a deficiency in the default pam 
configuration?

Comment 10 Martin Ebourne 2007-11-27 10:16:06 UTC
I don't have pam_ssh in system-auth (which would cause it to be used for a bunch
of things I don't want my ssh key unlocked with), instead I have a
system-auth-ssh which is used instead where appropriate.

I take your point about putting pam_ssh after pam_selinux. Unfortunately pam has
always been a black art to configure and dangerous when you get it wrong, with
these extra requirements it's bordering on impossible. pam_selinux(8) doesn't
really clear the confusion up either.

I agree with Patrice that the whole point of system-auth is to centralise the
config and make it easier to manage.

It is also a shame that no-one responded to my fedora-selinux-list post:
https://www.redhat.com/archives/fedora-selinux-list/2007-November/msg00077.html
as this could have avoided wasting time and saved some confusion.

Comment 11 Dmitry Butskoy 2007-11-27 13:00:00 UTC
for comment #8 :

> I have updated selinux policy to allow this to work.

Does it mean that we can get rid of the recent SELinux addons for pam_ssh?

(and add a comment somewhere about properly placing of pam_ssh.so after the
pam_seliinux.so).


for comment #9 :

> If one want to use session optional pam_ssh.so in all the
> pam stacks, it should be in system-auth, though. Duplicating
> an entry in many files just renders system-auth unuseful.

Actually, pam_ssh is useful for some kind of a "shell" service. Personally, I
use pam_ssh for "login", "gdm" and "sshd" only, i.e. 3 services at all. I prefer
even not to create a "system-auth-ssh", it is more easy to add one line in all 3
files, rather than create an additional file (and then add a line in those 3
files anyway).

Thus IMHO pam_ssh.so is not suitable for the system-wide common auth pam config,
it is mostly for particular services rather than for *all* the services.

Comment 12 Patrice Dumas 2007-12-05 09:55:20 UTC
(In reply to comment #11)
> for comment #8 :
> 
> > If one want to use session optional pam_ssh.so in all the
> > pam stacks, it should be in system-auth, though. Duplicating
> > an entry in many files just renders system-auth unuseful.
> 
> Actually, pam_ssh is useful for some kind of a "shell" service. Personally, I
> use pam_ssh for "login", "gdm" and "sshd" only, i.e. 3 services at all. I prefer
> even not to create a "system-auth-ssh", it is more easy to add one line in all 3
> files, rather than create an additional file (and then add a line in those 3
> files anyway).
> 
> Thus IMHO pam_ssh.so is not suitable for the system-wide common auth pam config,
> it is mostly for particular services rather than for *all* the services.

The current state of pam config seems to be quite a mess in fact.
Not all relevant services have selinux and there should certainly be
some factoring out of things that are done as user. Not the place here
in any case.

What is the selinux package having pam_ssh policy in and what version 
is it?

Comment 13 Patrice Dumas 2007-12-05 10:19:42 UTC
I get that error when updating in devel:

  Updating  : selinux-policy-targeted      ##################### [ 51/139]
libsepol.print_missing_requirements: pam_ssh's global requirements were not met:
type/attribute user_home_ssh_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!

It may also be related with Bug 407891


Comment 14 Dmitry Butskoy 2007-12-06 13:24:46 UTC
> It may also be related with Bug 407891

Nope, since you do not use triggers, pam_ssh is not touched when you update
selinux-policy-targeted .

What if you install the previous version of pam_ssh (yet without SELinux addons)
and try to update selinux-policy-targeted then?

Comment 15 Patrice Dumas 2007-12-10 12:12:07 UTC
I am still waiting for a definitive explanation of what 
package is needed for pam_ssh to properly function, when
somebody has put pam_ssh at the right place (that is after
pam_selinux, if I understand well).

Comment 16 Dmitry Butskoy 2007-12-10 12:22:24 UTC
Daniel?..

Comment 17 Patrice Dumas 2007-12-10 12:49:09 UTC
(In reply to comment #14)
> > It may also be related with Bug 407891
> 
> Nope, since you do not use triggers, pam_ssh is not touched when you update
> selinux-policy-targeted .
> 
> What if you install the previous version of pam_ssh (yet without SELinux addons)
> and try to update selinux-policy-targeted then?

I haven't tried, but I have fixed Bug 407891.

The error message is there on install:

# rpm -Uvh i386/pam_ssh-1.92-5.fc9.i386.rpm 
Préparation...              ########################################### [100%]
   1:pam_ssh                ########################################### [100%]
libsepol.print_missing_requirements: pam_ssh's global requirements were not met:
type/attribute user_home_ssh_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!

However now, with pam_ssh already installed (or not), there is no
pam_ssh related error message when installing selinux-policy-targeted: 
# yum install selinux-policy-targeted 
...
  Installing: selinux-policy-targeted      ######################### [1/1] 
/usr/sbin/semanage: range not supported on Non MLS machines
/usr/sbin/semanage: Préfixe invalide guest
/usr/sbin/semanage: Préfixe invalide xguest


Comment 18 Martin Ebourne 2007-12-10 13:21:15 UTC
As this has now been fixed directly in the targeted policy we should drop the
semodule additions.

Comment 19 Patrice Dumas 2007-12-10 21:28:40 UTC
I have removed the selinux module stuff, and added a
Conflicts: selinux-policy-targeted < 3.0.8-55
and built in devel.

Does that seems right?

Comment 20 Dmitry Butskoy 2007-12-11 12:40:19 UTC
Yes, fine!

Comment 21 Fedora Update System 2007-12-12 19:58:48 UTC
pam_ssh-1.92-6.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update pam_ssh'

Comment 22 Patrice Dumas 2007-12-20 23:54:43 UTC
It would be nice to have people using selinux test this update in 
testing (the last one, of course, pam_ssh-1.92-6.fc8).

Comment 23 Fedora Update System 2007-12-28 17:20:20 UTC
pam_ssh-1.92-6.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.