* Oddness with password aging and related..
@ 2004-04-16 23:08 Valdis.Kletnieks
2004-04-23 17:46 ` Daniel J Walsh
0 siblings, 1 reply; 2+ messages in thread
From: Valdis.Kletnieks @ 2004-04-16 23:08 UTC (permalink / raw)
To: SELinux
[-- Attachment #1: Type: text/plain, Size: 1539 bytes --]
Running a Fedora Core 2-test2 patched up with the -devel tree as of
this morning (in particular, Fedora rpm policy-1.11.2-8), in enforcing mode.
Did the folliowing:
1) useradd a test user.
2) passwd testuser and assign a password
3) chage -d 0 testuser to force a password change at login.
On attempting to login at a virtual console or ssh session, it prompts for the
userid/password, and then:
% ssh -l testuser orange
testuser@orange's password:
Authentication successful.
You are required to change your password immediately (root enforced)
Your password has expired, the session cannot proceed.
Apr 16 17:59:42 orange kernel: audit(1082152782.796:0): avc: denied { getattr } for pid=879 exe=/bin/login path=/usr/lib/cracklib_dict.pwd dev=dm-3 ino=250121 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:crack_db_t tclass=file
GDM does something similar:
Apr 16 18:00:13 orange kernel: audit(1082152813.521:0): avc: denied { getattr } for pid=918 exe=/usr/bin/gdm-binary path=/usr/lib/cracklib_dict.pwd dev=dm-3 ino=250121 scontext=system_u:system_r:xdm_t tcontext=system_u:object_r:crack_db_t tclass=file
relevant(?) lines in /etc/pam.d/system-auth:
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=5
password required /lib/security/$ISA/pam_deny.so
Any suggestions/patches? (even a "Fedora is behind, it's fixed in the version
on the nsa site" would be fine. ;)
[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Oddness with password aging and related..
2004-04-16 23:08 Oddness with password aging and related Valdis.Kletnieks
@ 2004-04-23 17:46 ` Daniel J Walsh
0 siblings, 0 replies; 2+ messages in thread
From: Daniel J Walsh @ 2004-04-23 17:46 UTC (permalink / raw)
To: Valdis.Kletnieks; +Cc: SELinux
The following patches have been added to Fedora Policy
--- policy-1.11.2/domains/program/unused/xdm.te.20040423
2004-04-23 09:51:22.000000000 -0400
+++ policy-1.11.2/domains/program/unused/xdm.te 2004-04-23
13:44:39.415634000 -0400
@@ -314,3 +314,4 @@
# VNC v4 module in X server
type vnc_port_t, port_type;
allow xdm_xserver_t vnc_port_t:tcp_socket name_bind;
+allow xdm_t crack_db_t:file { getattr read };
--- policy-1.11.2/domains/program/login.te.20040423 2004-04-23
09:51:22.000000000 -0400
+++ policy-1.11.2/domains/program/login.te 2004-04-23
13:44:08.306363328 -0400
@@ -88,6 +88,8 @@
allow xdm_t $1_login_t:process { signull };
')
+allow $1_login_t crack_db_t:file { getattr read };
+
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-04-23 17:46 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-04-16 23:08 Oddness with password aging and related Valdis.Kletnieks
2004-04-23 17:46 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.