Bug 427486 - Allow pam_tty_audit to manipulate the "audit TTY input" flag
Allow pam_tty_audit to manipulate the "audit TTY input" flag
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Eric Paris
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-03 23:52 EST by Miloslav Trmač
Modified: 2009-03-06 08:31 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-06 08:31:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
refpolicy patch (314 bytes, patch)
2008-09-19 05:54 EDT, Miloslav Trmač
no flags Details | Diff
libselinux patch (30.83 KB, patch)
2008-09-19 05:55 EDT, Miloslav Trmač
no flags Details | Diff
kernel patch (3.53 KB, patch)
2008-09-19 05:56 EDT, Miloslav Trmač
no flags Details | Diff

  None (edit)
Description Miloslav Trmač 2008-01-03 23:52:42 EST
$subj ... by letting processes that use PAM for session setup send netlink
messages to the audit subsystem.

So far I have collected:
allow local_login_t self:netlink_audit_socket nlmsg_write;
allow sshd_t self:netlink_audit_socket nlmsg_write;
allow xdm_t self:netlink_audit_socket nlmsg_write;

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.0.8-72.fc8
Comment 1 Josef Kubin 2008-02-29 08:42:47 EST
I can fix it, how can I test it?
Thank you for reply!
Comment 2 Miloslav Trmač 2008-02-29 08:59:14 EST
Basically, append to /etc/pam.d/system-auth:
        session required pam_tty_audit.so disable=* enable=root

and try as many ways to log in / switch to the root user as you can think of. 
Some more detailed instructions are available in
https://bugzilla.redhat.com/show_bug.cgi?id=244352#c10 - but note that TTY
auditing will still not work in some cases unless you patch the kernel.
Comment 3 Daniel Walsh 2008-02-29 11:39:27 EST
I believe this is a bug in the pam module, it should not be requesting
nlmsg_write.  It should use nlmsg_relay.

Requiring

So far I have collected:
allow local_login_t self:netlink_audit_socket nlmsg_write;
allow sshd_t self:netlink_audit_socket nlmsg_write;
allow xdm_t self:netlink_audit_socket nlmsg_write;

Will allow all of the login programs to change the auditing level and what gets
audited, I also think it can turn off auditing.
Comment 4 Tomas Mraz 2008-02-29 12:14:37 EST
Type of the access needed is determined by kernel, not the pam module itself.
If it was changed to nlmsg_relay it would be the same type as auditing message.
That would mean that any process which can send audit messages can
enable/disable tty auditing. This might be undesirable. But I agree that using
nlmsg_write is not a good idea either.
Perhaps a new type should be added?
Comment 5 Daniel Walsh 2008-05-07 13:52:44 EDT
sgrubb what is the latest on this?
Comment 7 Daniel Walsh 2008-07-02 16:08:56 EDT
Eric can you look into this?
Comment 8 Steve Grubb 2008-07-02 16:44:08 EDT
The patch I sent was this one:

http://marc.info/?l=selinux&m=120491226616954&w=2
Comment 9 Eric Paris 2008-07-14 23:18:00 EDT
I'll try to look at it eventually.  sds was nice enough to clearly lay out the
steps required for adding a new permission to the kernel its also at
http://www.selinuxproject.org/page/Adding_New_Permissions
in order to not forget everywhere changes are required.  We put the big headers
stating not to edit by hand for a reason   :)

I'll try to get to it before F10 if noone else wants to finish the halfway
completed work.
Comment 10 Miloslav Trmač 2008-09-19 05:54:11 EDT
Created attachment 317173 [details]
refpolicy patch
Comment 11 Miloslav Trmač 2008-09-19 05:55:10 EDT
Created attachment 317174 [details]
libselinux patch
Comment 12 Miloslav Trmač 2008-09-19 05:56:42 EDT
Created attachment 317176 [details]
kernel patch
Comment 13 Miloslav Trmač 2008-09-19 06:02:06 EDT
These are the patches generated using the directions in comment #9.

The libselinux patch is way too large, it seems libselinux git has not caught up with some refpolicy changes.

> There is also the backward compatibility issue - we must not break
> akpm's system if he boots a new kernel on an existing distro that lacks
> new policy.
I have no idea what to do about this.  Anyway, this affects only systems that use pam_tty_audit.  Currently such systems don't work with SELinux anyway, so booting a new kernel without new rules in policy cannot hurt anything - but I'm not sure whether a new kernel can handle a policy that does not refer to the new capability, or whether an old kernel can handle a policy that does refer to the new capability.
Comment 14 Eric Paris 2008-09-19 09:42:27 EDT
What was the libselinux patch made against?  It looks like the original libselinux files were really quite old and your patch very well could be the right thing to do.  (Or maybe we have to break up and fix the OPEN/X/your fixes into 3 patches)

Lets not worry about kernel backwards compat here.  Noone's using this stuff yet anyway   :)
Comment 15 Miloslav Trmač 2008-09-19 09:57:48 EDT
(In reply to comment #14)
> What was the libselinux patch made against?
http://oss.tresys.com/git/selinux.git
Comment 16 Daniel Walsh 2008-09-22 13:56:45 EDT
Definition is in libselinux-2.0.71-5.fc10

Definition is in selinux-policy-3.5.8-5.fc10.noarch
Comment 17 Bug Zapper 2008-11-25 21:04:44 EST
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 18 Eric Paris 2009-03-03 16:53:20 EST
things to do.

1) define new perm in refpolicy
2) define new perm in kernel
3) implement new perm in refpolicy
4) implement new perm in kernel



dwalsh did set 1.  I'm starting on 2 and 4 today.
Comment 19 Eric Paris 2009-03-05 13:54:46 EST
Patch sent to selinux list.

Note You need to log in before you can comment on or make changes to this bug.