Bug 458561 - authentication service denying access due to pam configuration
Summary: authentication service denying access due to pam configuration
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-08-09 22:46 UTC by ericm24x7
Modified: 2008-08-27 00:24 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-08-27 00:24:22 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
system-auth (890 bytes, text/plain)
2008-08-11 04:21 UTC, ericm24x7
no flags Details
crond (297 bytes, text/plain)
2008-08-11 04:22 UTC, ericm24x7
no flags Details
ausearch -m AVC output (3.77 KB, text/plain)
2008-08-11 04:23 UTC, ericm24x7
no flags Details

Description ericm24x7 2008-08-09 22:46:48 UTC
Description of problem:
authentication service is denying access to run crontab due to pam configuration.

Version-Release number of selected component (if applicable):
pam.x86_64 1.0.1-5.fc10
pam_ccreds.x86_64 7-3.fc10
pam_krb5.x86_64 2.3.0-1
pam_passwdqc.x86_64 1.0.5-1
pam_pkcs11.x86_64 0.5.3-26
pam_sb.x86_64 1.1.7-8.2.2
crontabs.noarch 1.10-23.fc10
authconfig.x86_64 5.4.3-1.fc10

How reproducible:
persistent

Steps to Reproduce:
1. install 10-Alpha plus I updated following packages to latest build (8/9/08)
   tftp tftp-server httpd rsync dhcp vnc vnc-server hardlink\
   kvm qemu bridge-utils nash gnash-plugin \
   hplip hplip-gui libsane-hpaio\
   xsane sane-backends cups system-config-printer \
   gkrellm efax gnucash openoffice.org-base\
   Miro kernel \
   
2. run crontab
  
Actual results:
Authentication service cannot retrieve authentication info
You (adm2) are not allowed to access to (crontab) because of pam configuration.

Comment 1 Tomas Mraz 2008-08-10 07:38:53 UTC
Can you please attach your /etc/pam.d/system-auth, /etc/pam.d/crontab.

Do you have SELinux enforcing? Does it still happen with SELinux in permissive mode (setenforce 0) ? If not, do you see any related AVCs with ausearch -m AVC ?

Comment 2 ericm24x7 2008-08-11 04:21:36 UTC
Created attachment 313906 [details]
system-auth

Comment 3 ericm24x7 2008-08-11 04:22:56 UTC
Created attachment 313907 [details]
crond

Comment 4 ericm24x7 2008-08-11 04:23:42 UTC
Created attachment 313908 [details]
ausearch -m AVC output

Comment 5 ericm24x7 2008-08-11 04:29:02 UTC
Under permissive mode (setenforce 0), I was able to execute crontab, but does not run the script at pre-set time (rsync -avH <remote_source>  <to_local_source_directory>).

Comment 6 ericm24x7 2008-08-11 04:45:05 UTC
OK, I just reboot the system and reset the crontab under permissive mode. The script works at pre-defined time. By the way, /etc/pam.d/crontabs does not exist so I uploaded /etc/pam.d/crond instead.

I'm not sure if it is an intended feature to block crontab by design. So I'm not whether to close this bug or not.

Comment 7 Tomas Mraz 2008-08-11 07:12:48 UTC
It is definitely not intended to block crontab.

If setenforce 0 helps it means that the problem is in the selinux-policy or something else is broken on your system in regards to SELinux.

Can you try to update selinux-policy package if there is new one in rawhide and see whether it helps (with setenforce 1).

Comment 8 Marcela Mašláňová 2008-08-12 14:29:20 UTC
Please test with selinux-policy-3.5.1-4.fc10.noarch. It's working for me in rawhide - enforcing mode, latest policy.

Comment 9 ericm24x7 2008-08-12 20:59:21 UTC
OK, I loaded the latest selinux-policy. I can execute crontab when I connect through remote viewer (vncviewer). But, it is still failing when executing from any local terminal (tty1-tty6), or when connected from remote ssh terminal. 
== error output
Authentication service cannot retrieve authentication info
You (adm2) are not allowed to access to (crontab) because of pam configuration.
==
I tried editing /etc/security/access.conf and added the following line:
+ : adm2 root : 127.0.0.1 tty1 tty2 tty3 tty4 tty5 tty6

Still failed.

Anyway, at least it's working through vncviewer since that's how I always connect through this system.

Comment 10 Marcela Mašláňová 2008-08-25 12:55:53 UTC
This change shouldn't be needed. That's default state.

Comment 11 Marcela Mašláňová 2008-08-25 13:08:21 UTC
Crontabs are working also with selinux enforcing, but crontab can't be changed or print out. With selinux permissive is everything working ok.

crontab -e failed -> audit.log: 
type=SELINUX_ERR msg=audit(1219676058.623:341): security_compute_sid:  invalid context unconfined_u:unconfined_r:system_chkpwd_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=process
type=SYSCALL msg=audit(1219676058.623:341): arch=40000003 syscall=11 success=no exit=-13 a0=30d738 a1=bfbc464c a2=30f408 a3=400 items=0 ppid=2742 pid=2743 auid=500 uid=0 gid=500 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=48 comm="crontab" exe="/usr/bin/crontab" subj=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 key=(null)
type=USER_ACCT msg=audit(1219676058.641:342): user pid=2742 uid=500 auid=500 ses=48 subj=unconfined_u:unconfined_r:unconfined_crontab_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="ferda" exe="/usr/bin/crontab" (hostname=?, addr=?, terminal=cron res=failed)'

Comment 12 Daniel Walsh 2008-08-27 00:24:22 UTC
Fixed in selinux-policy-3.5.5-2.fc10


Note You need to log in before you can comment on or make changes to this bug.