Bug 621997 - SELinux empêche l'accès en "search" à /usr/libexec/polkit-1/polkit-agent-helper-1 on /var/lib/a
Summary: SELinux empêche l'accès en "search" à /usr/libexec/polkit-1/polkit-agent-help...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
(Show other bugs)
Version: 14
Hardware: x86_64 Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:cf3e0918b10...
Depends On:
TreeView+ depends on / blocked
Reported: 2010-08-06 18:00 UTC by Nicolas Mailhot
Modified: 2010-08-24 01:49 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.8.8-14.fc14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-08-24 01:49:53 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
/etc/pam.d/system-auth (1002 bytes, text/plain)
2010-08-10 16:46 UTC, Nicolas Mailhot
no flags Details

Description Nicolas Mailhot 2010-08-06 18:00:35 UTC

SELinux empêche l'accès en "search" à
/usr/libexec/polkit-1/polkit-agent-helper-1 on /var/lib/a

Description détaillée:

SELinux a refusé l'accès demandé par polkit-agent-he. Il n'est pas prévu que
cet accès soit requis par polkit-agent-he et cet accès peut signaler une
tentative d'intrusion. Il est également possible que cette version ou cette
configuration spécifique de l'application provoque cette demande d'accès

Autoriser l'accès:

Vous pouvez créer un module de stratégie locale pour autoriser cet accès -
lisez la FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Merci de
remplir un rapport de bogue.

Informations complémentaires:

Contexte source               unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c
Contexte cible                system_u:object_r:var_auth_t:s0
Objets du contexte            /var/lib/abl [ dir ]
source                        polkit-agent-he
Chemin de la source           /usr/libexec/polkit-1/polkit-agent-helper-1
Port                          <Inconnu>
Hôte                         (supprimé)
Paquetages RPM source         polkit-0.96-1.fc13
Paquetages RPM cible          pam_abl-0.2.3-8.fc12
Politique RPM                 selinux-policy-3.8.8-10.fc14
Selinux activé               True
Type de politique             targeted
Mode strict                   Enforcing
Nom du plugin                 catchall
Nom de l'hôte                (supprimé)
Plateforme                    Linux (supprimé) 2.6.35-2.fc14.x86_64 #1 SMP Wed
                              Aug 4 19:15:25 UTC 2010 x86_64 x86_64
Compteur d'alertes            1
Première alerte              ven. 06 août 2010 19:57:59 CEST
Dernière alerte              ven. 06 août 2010 19:57:59 CEST
ID local                      580f6385-1140-49eb-9a21-e0106686cf99
Numéros des lignes           

Messages d'audit bruts        

node=(supprimé) type=AVC msg=audit(1281117479.56:27): avc:  denied  { search } for  pid=2628 comm="polkit-agent-he" name="abl" dev=dm-1 ino=122447 scontext=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_auth_t:s0 tclass=dir

node=(supprimé) type=SYSCALL msg=audit(1281117479.56:27): arch=c000003e syscall=4 success=no exit=-13 a0=1005f10 a1=7fffd72a1030 a2=7fffd72a1030 a3=180 items=0 ppid=2342 pid=2628 auid=500 uid=500 gid=500 euid=0 suid=0 fsuid=0 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="polkit-agent-he" exe="/usr/libexec/polkit-1/polkit-agent-helper-1" subj=unconfined_u:unconfined_r:policykit_auth_t:s0-s0:c0.c1023 key=(null)

Hash String generated from  catchall,polkit-agent-he,policykit_auth_t,var_auth_t,dir,search
audit2allow suggests:

#============= policykit_auth_t ==============
allow policykit_auth_t var_auth_t:dir search;

Comment 1 Daniel Walsh 2010-08-10 15:44:03 UTC
Did you add pam_abl to /etc/pam.d/system-auth?

Comment 2 Nicolas Mailhot 2010-08-10 15:56:00 UTC
I did it when I first installed pam_abl on the system years ago. I haven't checked lately if the various system upgrades since have preserved this (but I guess if they hadn't there would be no selinux alert today)

Comment 3 Nicolas Mailhot 2010-08-10 16:46:58 UTC
Created attachment 437949 [details]

Local /etc/pam.d/system-auth with typical pam_abl configuration

Comment 4 Nicolas Mailhot 2010-08-10 16:47:39 UTC
Summary     : A Pluggable Authentication Module (PAM) for auto blacklisting

Description :
Provides auto blacklisting of hosts and users responsible for repeated
failed authentication attempts. Generally configured so that
blacklisted users still see normal login prompts but are guaranteed to
fail to authenticate. A command line tool allows to query or purge the
databases used by the pam_abl module.

Comment 5 Daniel Walsh 2010-08-11 13:09:47 UTC
I know what it is, but I am not sure it belongs in that file, since this is read by cron and policykit.

You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.8.8-12.fc14

Comment 6 Nicolas Mailhot 2010-08-11 16:43:41 UTC
(In reply to comment #5)
> I know what it is, but I am not sure it belongs in that file, since this is
> read by cron and policykit.

The way I understand it, the main value of pam_abl (as opposed to a protocol-specific wrapper such as deny host) is to protect against any brute-force password cracking attempt at the pam database, regardless of how many layers of software indirections are used before hitting pam. 

But them I am not a professional security expert like you, so I would welcome your thoughts on where pam_abl should better plug.

I realise that the main drawback of this approach is the possibility of DOS. On my system a DOS is preferable to an intrusion.

Comment 7 Daniel Walsh 2010-08-13 16:08:16 UTC
Ok I guess you are right.  I see it more useful for network facing login programs like sshd, but I guess if you are worried about someone trying to brute force policykit.

Comment 8 Fedora Update System 2010-08-13 20:29:09 UTC
selinux-policy-3.8.8-14.fc14 has been submitted as an update for Fedora 14.

Comment 9 Nicolas Mailhot 2010-08-18 20:24:59 UTC
Still there with selinux-policy-3.8.8-16.fc14

Comment 10 Daniel Walsh 2010-08-23 17:24:39 UTC
Oops your right, I added the access to policykit_t instead of policykit_auth_t.

Fixed in selinux-policy-3.8.8-18.fc14

Comment 11 Fedora Update System 2010-08-24 01:48:30 UTC
selinux-policy-3.8.8-14.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.