[refpolicy] How to address USER_AUTH PAM authentication failure?

From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] How to address USER_AUTH PAM authentication failure?
Date: Thu, 11 Mar 2010 08:24:11 -0500	[thread overview]
Message-ID: <4B98EEFB.9050206@redhat.com> (raw)
In-Reply-To: <BAY111-W325D1D6F88FCF329790CD6AB320@phx.gbl>

On 03/10/2010 10:15 PM, TaurusHarry wrote:
> Hi SELinux experts,
>
> Thank you for reading my email, I am trying to write a SELinux pp for
> the vlock program(Virtual Console Locking program), so far I gets no
> more AVC denied messages in permissive mode and only one USER_AUTH
> failure message in Enforcing mode, what interface should I have added
> for the vlock_t domain?
>
> [root/sysadm_r/s0 at cp3020 ~]# date +%T
> 23:24:07
> [root/sysadm_r/s0 at cp3020 ~]# vlock
> [root/sysadm_r/s0 at cp3020 ~]# newrole -r auditadm_r -l s15:c0.c255 -p
> -- -c "ausearch -sv no -ts 23:24:07 -se vlock_t"
> Password:
> ----
> time->Wed Mar 10 23:24:54 2010
> type=USER_AUTH msg=audit(1268263494.640:13155): user pid=3758 uid=0
> auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
> msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
> (hostname=?, addr=?, terminal=? res=failed)'
> ----
> time->W ed Mar 10 23:24:54 2010
> type=USER_AUTH msg=audit(1268263494.644:13159): user pid=3758 uid=0
> auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
> msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
> (hostname=?, addr=?, terminal=? res=failed)'
> [root/sysadm_r/s0 at cp3020 ~]#
>
> As you can see, in Enforcing mode the vlock just exits silently. If in
> permissive mode, the vlock program could be run successfully like below:
>
> [root/sysadm_r/s0 at cp3020 ~]# vlock
> *** This tty is not a VC (virtual console). ***
> *** It may not be securely locked. ***
>
> This TTY is now locked.
> Please enter the password to unlock.
> root's Password:
> [root/sysadm_r/s0 at cp3020 ~]#
>
> So the problem must be rooted in my vlock.pp, the .te file is attached
> at the bottom, how should I address above USER_AUTH failure?
> *Thanks again!
>
> Best regards,
> Harry
>
>
> ----------
>
>
> policy_module(vlock, 1.0.0)
>
> ########################################
> #
> # Declarations
> #
>
> type vlock_t;
> type vlock_exec_t;
> application_domain(vlock_t,vlock_exec_t)
>
>
> ########################################
> #
> # Vlock local policy
> #
>
> allow vlock_t self:fd use;
> allow vlock_t self:fifo_file rw_fifo_file_perms;
> allow vlock_t self:unix_dgram_socket { create connect };
> allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms
> nlmsg_relay };
>
> kernel_read_system_state(vlock_t)
>
> corecmd_list_bin(vlock_t)
> corecmd_read_bin_symlinks(vlock_t)
>
> files_read_etc_files(vlock_t)
> files_read_var_files(vlock_t)
> files_read_var_symlinks(vlock_t)
>
> term_use_all_user_ttys(vlock_t)
> term_use_all_user_ptys(vlock_t)
>
> auth_domtrans_chk_passwd(vlock_t)
>
> miscfiles_read_localization(vlock_t)
>
> logging_send_sy slog_msg(vlock_t)
>
> selinux_getattr_fs(vlock_t)
>
>
> *
> ------------------------------------------------------------------------
> *????? Windows Live Messenger ???????? ?????
> <http://www.windowslive.cn/messenger/>
> *
> ------------------------------------------------------------------------
> *????? Windows Live Messenger ???????? ?????
> <http://www.windowslive.cn/messenger/>*
> *
> *
>
> *
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> *
semodule -DB

Will turn off the dontaudit rules. From the error it looks like you have
a problem accessing the terminal.

ls -lZ `tty`

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100311/a4d3a7d4/attachment.html 