From mboxrd@z Thu Jan 1 00:00:00 1970 From: dwalsh@redhat.com (Daniel J Walsh) Date: Thu, 11 Mar 2010 08:24:11 -0500 Subject: [refpolicy] How to address USER_AUTH PAM authentication failure? In-Reply-To: References: Message-ID: <4B98EEFB.9050206@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/10/2010 10:15 PM, TaurusHarry wrote: > Hi SELinux experts, > > Thank you for reading my email, I am trying to write a SELinux pp for > the vlock program(Virtual Console Locking program), so far I gets no > more AVC denied messages in permissive mode and only one USER_AUTH > failure message in Enforcing mode, what interface should I have added > for the vlock_t domain? > > [root/sysadm_r/s0 at cp3020 ~]# date +%T > 23:24:07 > [root/sysadm_r/s0 at cp3020 ~]# vlock > [root/sysadm_r/s0 at cp3020 ~]# newrole -r auditadm_r -l s15:c0.c255 -p > -- -c "ausearch -sv no -ts 23:24:07 -se vlock_t" > Password: > ---- > time->Wed Mar 10 23:24:54 2010 > type=USER_AUTH msg=audit(1268263494.640:13155): user pid=3758 uid=0 > auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 > msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" > (hostname=?, addr=?, terminal=? res=failed)' > ---- > time->W ed Mar 10 23:24:54 2010 > type=USER_AUTH msg=audit(1268263494.644:13159): user pid=3758 uid=0 > auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 > msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" > (hostname=?, addr=?, terminal=? res=failed)' > [root/sysadm_r/s0 at cp3020 ~]# > > As you can see, in Enforcing mode the vlock just exits silently. If in > permissive mode, the vlock program could be run successfully like below: > > [root/sysadm_r/s0 at cp3020 ~]# vlock > *** This tty is not a VC (virtual console). *** > *** It may not be securely locked. *** > > This TTY is now locked. > Please enter the password to unlock. > root's Password: > [root/sysadm_r/s0 at cp3020 ~]# > > So the problem must be rooted in my vlock.pp, the .te file is attached > at the bottom, how should I address above USER_AUTH failure? > *Thanks again! > > Best regards, > Harry > > > ---------- > > > policy_module(vlock, 1.0.0) > > ######################################## > # > # Declarations > # > > type vlock_t; > type vlock_exec_t; > application_domain(vlock_t,vlock_exec_t) > > > ######################################## > # > # Vlock local policy > # > > allow vlock_t self:fd use; > allow vlock_t self:fifo_file rw_fifo_file_perms; > allow vlock_t self:unix_dgram_socket { create connect }; > allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms > nlmsg_relay }; > > kernel_read_system_state(vlock_t) > > corecmd_list_bin(vlock_t) > corecmd_read_bin_symlinks(vlock_t) > > files_read_etc_files(vlock_t) > files_read_var_files(vlock_t) > files_read_var_symlinks(vlock_t) > > term_use_all_user_ttys(vlock_t) > term_use_all_user_ptys(vlock_t) > > auth_domtrans_chk_passwd(vlock_t) > > miscfiles_read_localization(vlock_t) > > logging_send_sy slog_msg(vlock_t) > > selinux_getattr_fs(vlock_t) > > > * > ------------------------------------------------------------------------ > *????? Windows Live Messenger ???????? ????? > > * > ------------------------------------------------------------------------ > *????? Windows Live Messenger ???????? ????? > * > * > * > > * > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > * semodule -DB Will turn off the dontaudit rules. From the error it looks like you have a problem accessing the terminal. ls -lZ `tty` -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100311/a4d3a7d4/attachment.html