Red Hat Bugzilla – Bug 471746
add pam_sepermit to sshd pam config to block confined users in permissive mode
Last modified: 2009-02-12 10:41:22 EST
Description of problem:
- man page for pam selinux permit is missing
- /etc/security/sepermit.conf, %seuser option does not work
- pam sepermit entry missing in /etc/pam.d/sshd
Version-Release number of selected component (if applicable):
- there use to be a man page for pam sepermit now it is gone (man pam_selinux_sepermit)
- echo "%seuser guest_u" >> /etc/security/sepermit.conf does not deny access for seuser guest_u when selinux in permissive mode.
- guest_u, like xguest_u are seusers available by default. pam.d/gdm is set up properly for xguest_u by default (has sepermit pam entry plus name space pam entry), however this is not the case for guest_u and pam.d/sshd ( missing sepermit pam entry and namespace pam entry)
Please do not put multiple bugs into one bug report next time.
The canonical name for the module is now pam_sepermit. The pam_selinux_permit.so is just a symlink for backward compatibility. 'man pam_sepermit' thus gives you the manual page.
You must add %guest_u to sepermit.conf not %seuser guest_u.
sshd is not set by default because the xguest user is not supposed to be allowed in by sshd.
thanks for clarifying point one and two. sorry for the false alarm.
about point 3 though:
xguest_u is not allowed to use sshd, only gdm. true.
however guest_u is not allowed to use gdm, only sshd...
Ccing dwalsh. Dan, what do you think about guest_u? I do not think we should support passwordless ssh login. But what about adding pam_sepermit to sshd PAM configuration to block guest_u if SELinux is in permissive mode?
I think adding it is fine and probably a good idea, blocking guest_u logins with SELinux disabled or permissive is also a good idea.
I think we need to make sure xguest_u is only available via gdm and not sshd by default, and I am not sure pam_sepermit supports this.
If I install the xguest package I do not want xguest user to be accessable via no password from the internet.
I would use different pam config entry for sshd that would not allow passwordless logins.
That is my only concern.
I would like to get to the point where we could experiment with returning random UIDs from a range of uid. So you could setup a group of guest accounts that people could log into with temporary home and /tmp directories.
Perhaps without a password.
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.
More information and reason for this action is here: