PAM security transitions

PAM security transitions

[Vikram Ambrose]

I've been messing around with various modules and installations and I've 
come across a strange PAM problem. Without any SELinux support in 
pam.d/login, root's shell gets system_r:local_login_t

But then using: pam_selinux.so close/open, root's shell gets 
root:staff_r:system_chkpwd_t

I have another installation with the same pam config, but it gets the 
correct root:sysadm_r:sysadm_t context. This system uses a different policy.

Trying to debug this. Any ideas why one of my boxes gets the wrong 
domain after login?

Vikram

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PAM security transitions

[Russell Coker]

On Saturday 23 August 2008 06:29, Vikram Ambrose 
<Vikram.Ambrose@windriver.com> wrote:
> I've been messing around with various modules and installations and I've
> come across a strange PAM problem. Without any SELinux support in
> pam.d/login, root's shell gets system_r:local_login_t

Yes, ages ago it was decided not to maintain patches for the various terminal 
login programs and to instead use a PAM module.

> But then using: pam_selinux.so close/open, root's shell gets
> root:staff_r:system_chkpwd_t

I think that was a policy bug, it's fixed if you use all the latest versions.

What version of the policy is running on the machines in question?

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PAM security transitions

[Stephen Smalley]

On Fri, 2008-08-22 at 16:29 -0400, Vikram Ambrose wrote:
> I've been messing around with various modules and installations and I've 
> come across a strange PAM problem. Without any SELinux support in 
> pam.d/login, root's shell gets system_r:local_login_t

Yes, we stopped patching login directly a long time ago, and thus use of
pam_selinux is required to get login session contexts set properly.

> But then using: pam_selinux.so close/open, root's shell gets 
> root:staff_r:system_chkpwd_t
> 
> I have another installation with the same pam config, but it gets the 
> correct root:sysadm_r:sysadm_t context. This system uses a different policy.
> 
> Trying to debug this. Any ideas why one of my boxes gets the wrong 
> domain after login?

Based on your own description, it is presumably a bug in the policy on
that system.  pam_selinux should map the Linux user to a SELinux user
via the seusers mapping, then ask the kernel for a list of reachable
security contexts for that SELinux user from the calling context (e.g.
system_u:system_r:local_login_t), then order that list based on the
default_contexts file's entry for the calling context.

libselinux/utils/getdefaultcon will let you exercise much the same
logic, e.g.
	getdefaultcon vikram system_u:system_r:local_login_t

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PAM security transitions

[Vikram Ambrose]

Russell Coker wrote:
> On Saturday 23 August 2008 06:29, Vikram Ambrose 
> <Vikram.Ambrose@windriver.com> wrote:
>   
>> I've been messing around with various modules and installations and I've
>> come across a strange PAM problem. Without any SELinux support in
>> pam.d/login, root's shell gets system_r:local_login_t
>>     
>
> Yes, ages ago it was decided not to maintain patches for the various terminal 
> login programs and to instead use a PAM module.
>
>   
>> But then using: pam_selinux.so close/open, root's shell gets
>> root:staff_r:system_chkpwd_t
>>     
>
> I think that was a policy bug, it's fixed if you use all the latest versions.
>
> What version of the policy is running on the machines in question?
>
>   
Strange, that box is running the latest. Refpolicy svn-2787 and Selinux 
svn-2950

Could you tell me a little more about that bug, and how it came about?

Vikram

-- 
Vikram Ambrose | Linux Products Division | WindRiver Corporation


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PAM security transitions

[Daniel J Walsh]

Stephen Smalley wrote:
> On Fri, 2008-08-22 at 16:29 -0400, Vikram Ambrose wrote:
>> I've been messing around with various modules and installations and I've 
>> come across a strange PAM problem. Without any SELinux support in 
>> pam.d/login, root's shell gets system_r:local_login_t
> 
> Yes, we stopped patching login directly a long time ago, and thus use of
> pam_selinux is required to get login session contexts set properly.
> 
>> But then using: pam_selinux.so close/open, root's shell gets 
>> root:staff_r:system_chkpwd_t
>>
>> I have another installation with the same pam config, but it gets the 
>> correct root:sysadm_r:sysadm_t context. This system uses a different policy.
>>
>> Trying to debug this. Any ideas why one of my boxes gets the wrong 
>> domain after login?
> 
> Based on your own description, it is presumably a bug in the policy on
> that system.  pam_selinux should map the Linux user to a SELinux user
> via the seusers mapping, then ask the kernel for a list of reachable
> security contexts for that SELinux user from the calling context (e.g.
> system_u:system_r:local_login_t), then order that list based on the
> default_contexts file's entry for the calling context.
> 
> libselinux/utils/getdefaultcon will let you exercise much the same
> logic, e.g.
> 	getdefaultcon vikram system_u:system_r:local_login_t
> 
This often happens if  /etc/selinux/POLICYTYPE/contexts/default_contexts
 and /etc/selinux/POLICYTYPE/context/users/SELINUXUSER_U do not map to
any possible value.

The service will just choose the first context it can transition to

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.