745208 – 389-ds-base: PAM Pass through authentication fails when selinux mode is in "Enforcing".

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 745208 - 389-ds-base: PAM Pass through authentication fails when selinux mode is in "Enforcing".

Summary: 389-ds-base: PAM Pass through authentication fails when selinux mode is in "E...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-10-11 16:40 UTC by Sankar Ramalingam
Modified:	2011-12-06 10:19 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.7.19-116.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-06 10:19:50 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1511	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-12-06 00:39:17 UTC

Description Sankar Ramalingam 2011-10-11 16:40:24 UTC

Description of problem: 
           PAM Pass through authentication fails when the selinux mode is in "Enforcing". This issue is observed when 389-ds-base packages installed on a RHEL6.1 machines.

Version-Release number of selected component (if applicable): DS9.0

How reproducible: Consistently.


Steps to Reproduce:
1. Install 389-ds-base package and create a slapd instance using setup-ds.pl script.
2. Configure PAM Pass through plug-in.

/usr/bin/ldapmodify -x -h $HOST -p $PORT -D "cn=Directory Manager" -w $DMGR_PWD << EOF
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
-
replace: pamSecure
pamSecure: FALSE
-
replace: pamIDMapMethod
pamIDMapMethod: RDN
EOF
3. Create a local system user as "pamtestuser" using useradd command.
4. Create an LDAP user as "uid=pamtestuser,dc=example,dc=com" using ldapadd.
5. Make sure selinux mode is in "Enforcing"
6. Run an ldapsearch to bind the user - "uid=pamtestuser,dc=example,dc=com".

Actual results:
 
/usr/bin/ldapsearch -x -h $HOST -p $PORT -D "uid=pamtestuser,dc=example,dc=com" -w $USR_PWD -b "uid=pamtestuser,dc=example,dc=com" objectclass=*

ldap_simple_bind: Operations error
ldap_simple_bind: additional info: Unknown PAM error [System error] for user id [pamtestuser], bind DN [uid=pamtestuser,dc=example,dc=com]

Expected results: LDAP search should succeed for the PAM Authentication irrespective of selinux policies.

Additional info: observed the following messages in the audit logs.

type=AVC msg=audit(1318331411.299:6847): avc:  denied  { search } for  pid=15840 comm="ns-slapd" name="dbus" dev=dm-0 ino=655211 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1318331411.299:6847): arch=c000003e syscall=42 success=no exit=-13 a0=1b a1=7f3fb8df30e0 a2=21 a3=0 items=0 ppid=1 pid=15840 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=872 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1318331411.300:6848): avc:  denied  { search } for  pid=15840 comm="ns-slapd" name="dbus" dev=dm-0 ino=655211 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1318331411.300:6848): arch=c000003e syscall=42 success=no exit=-13 a0=1b a1=7f3fb8df3120 a2=21 a3=0 items=0 ppid=1 pid=15840 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=872 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1318331411.313:6849): avc:  denied  { execute } for  pid=16098 comm="ns-slapd" name="unix_chkpwd" dev=dm-0 ino=534541 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1318331411.313:6849): arch=c000003e syscall=59 success=no exit=-13 a0=7f3fcc09dc98 a1=7f3fb8df33b0 a2=7f3fcc2a4368 a3=7 items=0 ppid=15818 pid=16098 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=872 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1318331411.326:6850): avc:  denied  { execute } for  pid=16099 comm="ns-slapd" name="unix_chkpwd" dev=dm-0 ino=534541 scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1318331411.326:6850): arch=c000003e syscall=59 success=no exit=-13 a0=7f3fcc09dc98 a1=7f3fb8df3340 a2=7f3fcc2a4368 a3=7 items=0 ppid=15818 pid=16099 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=872 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1318331413.788:6851): avc:  denied  { create } for  pid=15840 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=netlink_audit_socket
type=SYSCALL msg=audit(1318331413.788:6851): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=9 a3=0 items=0 ppid=1 pid=15840 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=872 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)
type=AVC msg=audit(1318331413.797:6852): avc:  denied  { create } for  pid=15840 comm="ns-slapd" scontext=unconfined_u:system_r:dirsrv_t:s0 tcontext=unconfined_u:system_r:dirsrv_t:s0 tclass=netlink_audit_socket
type=SYSCALL msg=audit(1318331413.797:6852): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=9 a3=7f3fa00000f8 items=0 ppid=1 pid=15840 auid=0 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=872 comm="ns-slapd" exe="/usr/sbin/ns-slapd" subj=unconfined_u:system_r:dirsrv_t:s0 key=(null)

Comment 1 Nathan Kinder 2011-10-11 17:36:02 UTC

This is happening because ns-slapd calls into PAM.  At a minimum, I would guess we need the following policy:

auth_use_pam(dirsrv_t)

Sankar - I would like to get access to your test system so I can build a custom policy module that adds the above rule.  We can then see if it clears up all of the AVCs that you are seeing so we know what the proper fix is.

Comment 2 Nathan Kinder 2011-10-11 19:52:24 UTC

I tested a custom policy module with only the rule from comment#1, and it seems to take care of all of the AVCs that occur when using the RHDS PAM Pass-through plug-in.  We should get the dirsrv policy updated with this additional rule/macro.

Comment 3 Miroslav Grepl 2011-10-12 18:16:05 UTC

Fixed in selinux-policy-3.7.19-116.el6

Comment 4 Miroslav Grepl 2011-10-13 08:08:54 UTC

Could we get QA ack?

Comment 9 Sankar Ramalingam 2011-11-09 15:48:39 UTC

/usr/lib64/mozldap/ldapsearch -h localhost -D "uid=staticua,ou=People,dc=pamexample,dc=com" -w "dbyers1" -p 39641 -s base -b "uid=staticua,ou=People,dc=pamexample,dc=com" objectclass=* 
version: 1
dn: uid=staticua,ou=People,dc=pamexample,dc=com
cn: Test user
sn: Astaticua
givenName: Fstaticua
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: usera475
uid: staticua
mail: usera
telephoneNumber: +1 408 555 9133
facsimileTelephoneNumber: +1 408 555 8433
roomNumber: 8217
manager: uid=dmiller,ou=People,dc=pamexample,dc=com
[root@weelie ~]# getenforce 
Enforcing


Hence this bug can be marked as verified.

Comment 10 errata-xmlrpc 2011-12-06 10:19:50 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html

Note You need to log in before you can comment on or make changes to this bug.