Bug 471746 - add pam_sepermit to sshd pam config to block confined users in permissive mode
add pam_sepermit to sshd pam config to block confined users in permissive mode
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2008-11-15 11:46 EST by Dominick Grift
Modified: 2009-02-12 10:41 EST (History)
3 users (show)

See Also:
Fixed In Version: openssh-5.1p1-5.fc11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-02-12 10:41:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Dominick Grift 2008-11-15 11:46:39 EST
Description of problem:
- man page for pam selinux permit is missing
- /etc/security/sepermit.conf, %seuser option does not work
- pam sepermit entry missing in /etc/pam.d/sshd

Version-Release number of selected component (if applicable):

Additional info:

- there use to be a man page for pam sepermit now it is gone (man pam_selinux_sepermit) 


- echo "%seuser guest_u" >> /etc/security/sepermit.conf does not deny access for seuser guest_u when selinux in permissive mode.

- guest_u, like xguest_u are seusers available by default. pam.d/gdm is set up properly for xguest_u by default (has sepermit pam entry plus name space pam entry), however this is not the case for guest_u and pam.d/sshd ( missing sepermit pam entry and namespace pam entry)
Comment 1 Tomas Mraz 2008-11-16 11:23:03 EST
Please do not put multiple bugs into one bug report next time.

The canonical name for the module is now pam_sepermit. The pam_selinux_permit.so is just a symlink for backward compatibility. 'man pam_sepermit' thus gives you the manual page.

You must add %guest_u to sepermit.conf not %seuser guest_u.

sshd is not set by default because the xguest user is not supposed to be allowed in by sshd.
Comment 2 Dominick Grift 2008-11-16 12:11:35 EST
thanks for clarifying point one and two. sorry for the false alarm.

about point 3 though:

xguest_u is not allowed to use sshd, only gdm. true.
however guest_u is not allowed to use gdm, only sshd...
Comment 3 Tomas Mraz 2008-11-18 03:08:33 EST
Ccing dwalsh. Dan, what do you think about guest_u? I do not think we should support passwordless ssh login. But what about adding pam_sepermit to sshd PAM configuration to block guest_u if SELinux is in permissive mode?
Comment 4 Daniel Walsh 2008-11-18 11:43:09 EST
I think adding it is fine and probably a good idea,  blocking guest_u logins with SELinux disabled or permissive is also a good idea.  

I think we need to make sure xguest_u is only available via gdm and not sshd by default, and I am not sure pam_sepermit supports this.

If I install the xguest package I do not want xguest user to be accessable via no password from the internet.
Comment 5 Tomas Mraz 2008-11-18 12:51:18 EST
I would use different pam config entry for sshd that would not allow passwordless logins.
Comment 6 Daniel Walsh 2008-11-18 13:06:06 EST
That is my only concern.

I would like to get to the point where we could experiment with returning random UIDs from a range of uid.  So you could setup a group of guest accounts that people could log into with temporary home and /tmp directories.

Perhaps without a password.
Comment 7 Bug Zapper 2008-11-26 00:27:13 EST
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:

Note You need to log in before you can comment on or make changes to this bug.