Bug 458561 - authentication service denying access due to pam configuration
authentication service denying access due to pam configuration
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-08-09 18:46 EDT by ericm24x7
Modified: 2008-08-26 20:24 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-08-26 20:24:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
system-auth (890 bytes, text/plain)
2008-08-11 00:21 EDT, ericm24x7
no flags Details
crond (297 bytes, text/plain)
2008-08-11 00:22 EDT, ericm24x7
no flags Details
ausearch -m AVC output (3.77 KB, text/plain)
2008-08-11 00:23 EDT, ericm24x7
no flags Details

  None (edit)
Description ericm24x7 2008-08-09 18:46:48 EDT
Description of problem:
authentication service is denying access to run crontab due to pam configuration.

Version-Release number of selected component (if applicable):
pam.x86_64 1.0.1-5.fc10
pam_ccreds.x86_64 7-3.fc10
pam_krb5.x86_64 2.3.0-1
pam_passwdqc.x86_64 1.0.5-1
pam_pkcs11.x86_64 0.5.3-26
pam_sb.x86_64 1.1.7-8.2.2
crontabs.noarch 1.10-23.fc10
authconfig.x86_64 5.4.3-1.fc10

How reproducible:

Steps to Reproduce:
1. install 10-Alpha plus I updated following packages to latest build (8/9/08)
   tftp tftp-server httpd rsync dhcp vnc vnc-server hardlink\
   kvm qemu bridge-utils nash gnash-plugin \
   hplip hplip-gui libsane-hpaio\
   xsane sane-backends cups system-config-printer \
   gkrellm efax gnucash openoffice.org-base\
   Miro kernel \
2. run crontab
Actual results:
Authentication service cannot retrieve authentication info
You (adm2) are not allowed to access to (crontab) because of pam configuration.
Comment 1 Tomas Mraz 2008-08-10 03:38:53 EDT
Can you please attach your /etc/pam.d/system-auth, /etc/pam.d/crontab.

Do you have SELinux enforcing? Does it still happen with SELinux in permissive mode (setenforce 0) ? If not, do you see any related AVCs with ausearch -m AVC ?
Comment 2 ericm24x7 2008-08-11 00:21:36 EDT
Created attachment 313906 [details]
Comment 3 ericm24x7 2008-08-11 00:22:56 EDT
Created attachment 313907 [details]
Comment 4 ericm24x7 2008-08-11 00:23:42 EDT
Created attachment 313908 [details]
ausearch -m AVC output
Comment 5 ericm24x7 2008-08-11 00:29:02 EDT
Under permissive mode (setenforce 0), I was able to execute crontab, but does not run the script at pre-set time (rsync -avH <remote_source>  <to_local_source_directory>).
Comment 6 ericm24x7 2008-08-11 00:45:05 EDT
OK, I just reboot the system and reset the crontab under permissive mode. The script works at pre-defined time. By the way, /etc/pam.d/crontabs does not exist so I uploaded /etc/pam.d/crond instead.

I'm not sure if it is an intended feature to block crontab by design. So I'm not whether to close this bug or not.
Comment 7 Tomas Mraz 2008-08-11 03:12:48 EDT
It is definitely not intended to block crontab.

If setenforce 0 helps it means that the problem is in the selinux-policy or something else is broken on your system in regards to SELinux.

Can you try to update selinux-policy package if there is new one in rawhide and see whether it helps (with setenforce 1).
Comment 8 Marcela Mašláňová 2008-08-12 10:29:20 EDT
Please test with selinux-policy-3.5.1-4.fc10.noarch. It's working for me in rawhide - enforcing mode, latest policy.
Comment 9 ericm24x7 2008-08-12 16:59:21 EDT
OK, I loaded the latest selinux-policy. I can execute crontab when I connect through remote viewer (vncviewer). But, it is still failing when executing from any local terminal (tty1-tty6), or when connected from remote ssh terminal. 
== error output
Authentication service cannot retrieve authentication info
You (adm2) are not allowed to access to (crontab) because of pam configuration.
I tried editing /etc/security/access.conf and added the following line:
+ : adm2 root : tty1 tty2 tty3 tty4 tty5 tty6

Still failed.

Anyway, at least it's working through vncviewer since that's how I always connect through this system.
Comment 10 Marcela Mašláňová 2008-08-25 08:55:53 EDT
This change shouldn't be needed. That's default state.
Comment 11 Marcela Mašláňová 2008-08-25 09:08:21 EDT
Crontabs are working also with selinux enforcing, but crontab can't be changed or print out. With selinux permissive is everything working ok.

crontab -e failed -> audit.log: 
type=SELINUX_ERR msg=audit(1219676058.623:341): security_compute_sid:  invalid context unconfined_u:unconfined_r:system_chkpwd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1219676058.623:341): arch=40000003 syscall=11 success=no exit=-13 a0=30d738 a1=bfbc464c a2=30f408 a3=400 items=0 ppid=2742 pid=2743 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=48 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 key=(null)
type=USER_ACCT msg=audit(1219676058.641:342): user pid=2742 uid=500 auid=500 ses=48 subj=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="ferda" exe="/usr/bin/crontab" (hostname=?, addr=?, terminal=cron res=failed)'
Comment 12 Daniel Walsh 2008-08-26 20:24:22 EDT
Fixed in selinux-policy-3.5.5-2.fc10

Note You need to log in before you can comment on or make changes to this bug.