* [refpolicy] How to address USER_AUTH PAM authentication failure?
@ 2010-03-11 3:15 TaurusHarry
2010-03-11 13:24 ` Daniel J Walsh
0 siblings, 1 reply; 5+ messages in thread
From: TaurusHarry @ 2010-03-11 3:15 UTC (permalink / raw)
To: refpolicy
Hi SELinux experts,
Thank you for reading my email, I am trying to write a SELinux pp for the vlock program(Virtual Console Locking program), so far I gets no more AVC denied messages in permissive mode and only one USER_AUTH failure message in Enforcing mode, what interface should I have added for the vlock_t domain?
[root/sysadm_r/s0 at cp3020 ~]# date +%T
23:24:07
[root/sysadm_r/s0 at cp3020 ~]# vlock
[root/sysadm_r/s0 at cp3020 ~]# newrole -r auditadm_r -l s15:c0.c255 -p -- -c "ausearch -sv no -ts 23:24:07 -se vlock_t"
Password:
----
time->Wed Mar 10 23:24:54 2010
type=USER_AUTH msg=audit(1268263494.640:13155): user pid=3758 uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" (hostname=?, addr=?, terminal=? res=failed)'
----
time->Wed Mar 10 23:24:54 2010
type=USER_AUTH msg=audit(1268263494.644:13159): user pid=3758 uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" (hostname=?, addr=?, terminal=? res=failed)'
[root/sysadm_r/s0 at cp3020 ~]#
As you can see, in Enforcing mode the vlock just exits silently. If in permissive mode, the vlock program could be run successfully like below:
[root/sysadm_r/s0 at cp3020 ~]# vlock
*** This tty is not a VC (virtual console). ***
*** It may not be securely locked. ***
This TTY is now locked.
Please enter the password to unlock.
root's Password:
[root/sysadm_r/s0 at cp3020 ~]#
So the problem must be rooted in my vlock.pp, the .te file is attached at the bottom, how should I address above USER_AUTH failure?
Thanks again!
Best regards,
Harry
----------
policy_module(vlock, 1.0.0)
########################################
#
# Declarations
#
type vlock_t;
type vlock_exec_t;
application_domain(vlock_t,vlock_exec_t)
########################################
#
# Vlock local policy
#
allow vlock_t self:fd use;
allow vlock_t self:fifo_file rw_fifo_file_perms;
allow vlock_t self:unix_dgram_socket { create connect };
allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
kernel_read_system_state(vlock_t)
corecmd_list_bin(vlock_t)
corecmd_read_bin_symlinks(vlock_t)
files_read_etc_files(vlock_t)
files_read_var_files(vlock_t)
files_read_var_symlinks(vlock_t)
term_use_all_user_ttys(vlock_t)
term_use_all_user_ptys(vlock_t)
auth_domtrans_chk_passwd(vlock_t)
miscfiles_read_localization(vlock_t)
logging_send_syslog_msg(vlock_t)
selinux_getattr_fs(vlock_t)
????? Windows Live Messenger ???????? ?????
_________________________________________________________________
MSN????????????????25???????????2010?????????
http://kaba.msn.com.cn/?k=1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100311/63693348/attachment.html
^ permalink raw reply [flat|nested] 5+ messages in thread* [refpolicy] How to address USER_AUTH PAM authentication failure? 2010-03-11 3:15 [refpolicy] How to address USER_AUTH PAM authentication failure? TaurusHarry @ 2010-03-11 13:24 ` Daniel J Walsh 2010-03-12 3:24 ` TaurusHarry 0 siblings, 1 reply; 5+ messages in thread From: Daniel J Walsh @ 2010-03-11 13:24 UTC (permalink / raw) To: refpolicy On 03/10/2010 10:15 PM, TaurusHarry wrote: > Hi SELinux experts, > > Thank you for reading my email, I am trying to write a SELinux pp for > the vlock program(Virtual Console Locking program), so far I gets no > more AVC denied messages in permissive mode and only one USER_AUTH > failure message in Enforcing mode, what interface should I have added > for the vlock_t domain? > > [root/sysadm_r/s0 at cp3020 ~]# date +%T > 23:24:07 > [root/sysadm_r/s0 at cp3020 ~]# vlock > [root/sysadm_r/s0 at cp3020 ~]# newrole -r auditadm_r -l s15:c0.c255 -p > -- -c "ausearch -sv no -ts 23:24:07 -se vlock_t" > Password: > ---- > time->Wed Mar 10 23:24:54 2010 > type=USER_AUTH msg=audit(1268263494.640:13155): user pid=3758 uid=0 > auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 > msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" > (hostname=?, addr=?, terminal=? res=failed)' > ---- > time->W ed Mar 10 23:24:54 2010 > type=USER_AUTH msg=audit(1268263494.644:13159): user pid=3758 uid=0 > auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 > msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" > (hostname=?, addr=?, terminal=? res=failed)' > [root/sysadm_r/s0 at cp3020 ~]# > > As you can see, in Enforcing mode the vlock just exits silently. If in > permissive mode, the vlock program could be run successfully like below: > > [root/sysadm_r/s0 at cp3020 ~]# vlock > *** This tty is not a VC (virtual console). *** > *** It may not be securely locked. *** > > This TTY is now locked. > Please enter the password to unlock. > root's Password: > [root/sysadm_r/s0 at cp3020 ~]# > > So the problem must be rooted in my vlock.pp, the .te file is attached > at the bottom, how should I address above USER_AUTH failure? > *Thanks again! > > Best regards, > Harry > > > ---------- > > > policy_module(vlock, 1.0.0) > > ######################################## > # > # Declarations > # > > type vlock_t; > type vlock_exec_t; > application_domain(vlock_t,vlock_exec_t) > > > ######################################## > # > # Vlock local policy > # > > allow vlock_t self:fd use; > allow vlock_t self:fifo_file rw_fifo_file_perms; > allow vlock_t self:unix_dgram_socket { create connect }; > allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms > nlmsg_relay }; > > kernel_read_system_state(vlock_t) > > corecmd_list_bin(vlock_t) > corecmd_read_bin_symlinks(vlock_t) > > files_read_etc_files(vlock_t) > files_read_var_files(vlock_t) > files_read_var_symlinks(vlock_t) > > term_use_all_user_ttys(vlock_t) > term_use_all_user_ptys(vlock_t) > > auth_domtrans_chk_passwd(vlock_t) > > miscfiles_read_localization(vlock_t) > > logging_send_sy slog_msg(vlock_t) > > selinux_getattr_fs(vlock_t) > > > * > ------------------------------------------------------------------------ > *????? Windows Live Messenger ???????? ????? > <http://www.windowslive.cn/messenger/> > * > ------------------------------------------------------------------------ > *????? Windows Live Messenger ???????? ????? > <http://www.windowslive.cn/messenger/>* > * > * > > * > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > * semodule -DB Will turn off the dontaudit rules. From the error it looks like you have a problem accessing the terminal. ls -lZ `tty` -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100311/a4d3a7d4/attachment.html ^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] How to address USER_AUTH PAM authentication failure? 2010-03-11 13:24 ` Daniel J Walsh @ 2010-03-12 3:24 ` TaurusHarry 2010-03-12 13:22 ` Daniel J Walsh 0 siblings, 1 reply; 5+ messages in thread From: TaurusHarry @ 2010-03-12 3:24 UTC (permalink / raw) To: refpolicy Date: Thu, 11 Mar 2010 08:24:11 -0500 From: dwalsh@redhat.com To: harrytaurus2002 at hotmail.com CC: refpolicy at oss1.tresys.com Subject: Re: [refpolicy] How to address USER_AUTH PAM authentication failure? On 03/10/2010 10:15 PM, TaurusHarry wrote: Hi SELinux experts, Thank you for reading my email, I am trying to write a SELinux pp for the vlock program(Virtual Console Locking program), so far I gets no more AVC denied messages in permissive mode and only one USER_AUTH failure message in Enforcing mode, what interface should I have added for the vlock_t domain? [root/sysadm_r/s0 at cp3020 ~]# date +%T 23:24:07 [root/sysadm_r/s0 at cp3020 ~]# vlock [root/sysadm_r/s0 at cp3020 ~]# newrole -r auditadm_r -l s15:c0.c255 -p -- -c "ausearch -sv no -ts 23:24:07 -se vlock_t" Password: ---- time->Wed Mar 10 23:24:54 2010 type=USER_AUTH msg=audit(1268263494.640:13155): user pid=3758 uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" (hostname=?, addr=?, terminal=? res=failed)' ---- time->W ed Mar 10 23:24:54 2010 type=USER_AUTH msg=audit(1268263494.644:13159): user pid=3758 uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" (hostname=?, addr=?, terminal=? res=failed)' [root/sysadm_r/s0 at cp3020 ~]# As you can see, in Enforcing mode the vlock just exits silently. If in permissive mode, the vlock program could be run successfully like below: [root/sysadm_r/s0 at cp3020 ~]# vlock *** This tty is not a VC (virtual console). *** *** It may not be securely locked. *** This TTY is now locked. Please enter the password to unlock. root's Password: [root/sysadm_r/s0 at cp3020 ~]# So the problem must be rooted in my vlock.pp, the .te file is attached at the bottom, how should I address above USER_AUTH failure? Thanks again! Best regards, Harry ---------- policy_module(vlock, 1.0.0) ######################################## # # Declarations # type vlock_t; type vlock_exec_t; application_domain(vlock_t,vlock_exec_t) ######################################## # # Vlock local policy # allow vlock_t self:fd use; allow vlock_t self:fifo_file rw_fifo_file_perms; allow vlock_t self:unix_dgram_socket { create connect }; allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; kernel_read_system_state(vlock_t) corecmd_list_bin(vlock_t) corecmd_read_bin_symlinks(vlock_t) files_read_etc_files(vlock_t) files_read_var_files(vlock_t) files_read_var_symlinks(vlock_t) term_use_all_user_ttys(vlock_t) term_use_all_user_ptys(vlock_t) auth_domtrans_chk_passwd(vlock_t) miscfiles_read_localization(vlock_t) logging_send_sy slog_msg(vlock_t) selinux_getattr_fs(vlock_t) ????? Windows Live Messenger ???????? ??? ?? ????? Windows Live Messenger ???????? ????? _______________________________________________ refpolicy mailing list refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy semodule -DB Will turn off the dontaudit rules. From the error it looks like you have a problem accessing the terminal. ls -lZ `tty` Many thanks Daniel, then I added the call to the userdom_use_user_terminals() interface for the vlock_t domain and verified that vlock_t has enough access rights on the tty device: [root/secadm_r/s0 at cp3020 ~]# ls -Z `tty` crw--w---- harry tty staff_u:object_r:user_devpts_t:s0 /dev/pts/0 [root/secadm_r/s0 at cp3020 ~]# sesearch -SCA -s vlock_t -t user_devpts_t Found 1 semantic av rules: allow vlock_t user_devpts_t : chr_file { ioctl read write getattr open } ; [root/secadm_r/s0 at cp3020 ~]# However, unfortunately, I still get following USER_AUTH message with "terminal=?": type=USER_AUTH msg=audit(1268353015.904:16092): user pid=4260 uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" (hostname=?, addr=?, terminal=? res=failed)' So far I have called the following three interfaces related with terminal for vlock_t: term_use_all_user_ttys(vlock_t) term_use_all_user_ptys(vlock_t) userdom_use_user_terminals(vlock_t) What else could I have missed? From the log of some other program such as run_init_t, I can see its USER_AUTH message is a success with terminal=pts/1, and only the userdom_use_user_terminals() interface has been called for run_init_t, I really don't get it why this same interface won't work for vlock_t. BTW, I have tried semodule -DB, but there is no more other AVC denied messages in the permissive mode and I could only get the above one USER_AUTH message in enforcing mode, so it seems I have to get over this USER_AUTH failure before I could move on to somewhere else. Thanks again! Harry _________________________________________________________________ ?????????Windows Live????????? http://windowslivesky.spaces.live.com/blog/cns!5892B6048E2498BD!889.entry -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100312/cba1bdfa/attachment.html ^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] How to address USER_AUTH PAM authentication failure? 2010-03-12 3:24 ` TaurusHarry @ 2010-03-12 13:22 ` Daniel J Walsh 2010-03-15 3:01 ` [refpolicy] How to address USER_AUTH PAM authentication failure? - Problem solved TaurusHarry 0 siblings, 1 reply; 5+ messages in thread From: Daniel J Walsh @ 2010-03-12 13:22 UTC (permalink / raw) To: refpolicy On 03/11/2010 10:24 PM, TaurusHarry wrote: > > > ------------------------------------------------------------------------ > Date: Thu, 11 Mar 2010 08:24:11 -0500 > From: dwalsh at redhat.com > To: harrytaurus2002 at hotmail.com > CC: refpolicy at oss1.tresys.com > Subject: Re: [refpolicy] How to address USER_AUTH PAM authentication > failure? > > On 03/10/2010 10:15 PM, TaurusHarry wrote: > > Hi SELinux experts, > > Thank you for reading my email, I am trying to write a SELinux pp > for the vlock program(Virtual Console Locking program), so far I > gets no more AVC denied messages in permissive mode and only one > USER_AUTH failure message in Enforcing mode, what interface should > I have added for the vlock_t domain? > > [root/sysadm_r/s0 at cp3020 ~]# date +%T > 23:24:07 > [root/sysadm_r/s0 at cp3020 ~]# vlock > [root/sysadm_r/s0 at cp3020 ~]# newrole -r auditadm_r -l s15:c0.c255 > -p -- -c "ausearch -sv no -ts 23:24:07 -se vlock_t" > Password: > ---- > time->Wed Mar 10 23:24:54 2010 > type=USER_AUTH msg=audit(1268263494.640:13155): user pid=3758 > uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 > msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" > (hostname=?, addr=?, terminal=? res=failed)' > ---- > time->W ed Mar 10 23:24:54 2010 > type=USER_AUTH msg=audit(1268263494.644:13159): user pid=3758 > uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 > msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" > (hostname=?, addr=?, terminal=? res=failed)' > [root/sysadm_r/s0 at cp3020 ~]# > > As you can see, in Enforcing mode the vlock just exits silently. > If in permissive mode, the vlock program could be run successfully > like below: > > [root/sysadm_r/s0 at cp3020 ~]# vlock > *** This tty is not a VC (virtual console). *** > *** It may not be securely locked. *** > > This TTY is now locked. > Please enter the password to unlock. > root's Password: > [root/sysadm_r/s0 at cp3020 ~]# > > So the problem must be rooted in my vlock.pp, the .te file is > attached at the bottom, how should I address above USER_AUTH failure? > *Thanks again! > > Best regards, > Harry > > > ---------- > > > policy_module(vlock, 1.0.0) > > ######################################## > # > # Declarations > # > > type vlock_t; > type vlock_exec_t; > application_domain(vlock_t,vlock_exec_t) > > > ######################################## > # > # Vlock local policy > # > > allow vlock_t self:fd use; > allow vlock_t self:fifo_file rw_fifo_file_perms; > allow vlock_t self:unix_dgram_socket { create connect }; > allow vlock_t self:netlink_audit_socket { > create_netlink_socket_perms nlmsg_relay }; > > kernel_read_system_state(vlock_t) > > corecmd_list_bin(vlock_t) > corecmd_read_bin_symlinks(vlock_t) > > files_read_etc_files(vlock_t) > files_read_var_files(vlock_t) > files_read_var_symlinks(vlock_t) > > term_use_all_user_ttys(vlock_t) > term_use_all_user_ptys(vlock_t) > > auth_domtrans_chk_passwd(vlock_t) > > miscfiles_read_localization(vlock_t) > > logging_send_sy slog_msg(vlock_t) > > selinux_getattr_fs(vlock_t) > > > * > ------------------------------------------------------------------------ > *????? Windows Live Messenger ???????? ????? > <http://www.windowslive.cn/messenger/> > * > ------------------------------------------------------------------------ > *????? Windows Live Messenger ???????? ????? > <http://www.windowslive.cn/messenger/>* > > * > * > > * > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com <mailto:refpolicy@oss.tresys.com> > http://oss.tresys.com/mailman/listinfo/refpolicy > * > > semodule -DB > > Will turn off the dontaudit rules. From the error it looks like you > have a problem accessing the terminal. > > ls -lZ `tty` > > > Many thanks Daniel, then I added the call to the > userdom_use_user_terminals() interface for the vlock_t domain and > verified that vlock_t has enough access rights on the tty device: > > [root/secadm_r/s0 at cp3020 ~]# ls -Z `tty` > crw--w---- harry tty staff_u:object_r:user_devpts_t:s0 /dev/pts/0 > [root/secadm_r/s0 at cp3020 ~]# sesearch -SCA -s vlock_t -t user_devpts_t > Found 1 semantic av rules: > allow vlock_t user_devpts_t : chr_file { ioctl read write getattr open > } ; > > [root/secadm_r/s0 at cp3020 ~]# > > However, unfortunately, I still get following USER_AUTH message with > "terminal=?": > > type=USER_AUTH msg=audit(1268353015.904:16092): user pid=4260 uid=0 > auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 > msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" > (hostname=?, addr=?, terminal=? res=failed)' > > So far I have called the following three interfaces related with > terminal for vlock_t:! > > term_use_all_user_ttys(vlock_t) > term_use_all_user_ptys(vlock_t) > userdom_use_user_terminals(vlock_t) > > What else could I have missed? From the log of some other program such > as run_init_t, I can see its USER_AUTH message is a success with > terminal=pts/1, and only the userdom_use_user_terminals() interface > has been called for run_init_t, I really don't get it why this same > interface won't work for vlock_t. > > BTW, I have tried semodule -DB, but there is no more other AVC denied > messages in the permissive mode and I could only get the above one > USER_AUTH message in enforcing mode, so it seems I have to get over > this USER_AUTH failure before I could move on to somewhere else. > > Thanks again! > Harry > > > > > > > > ------------------------------------------------------------------------ > ??Messenger???2.0????????? ?????? > <http://www.windowslive.cn/safe/> USER_AUTH is not an SELinux error message. It indicates that for what ever reason you PAM session failed. type=USER_AUTH msg=audit(1268353015.904:16092): user pid=4260 uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" (hostname=?, addr=?, terminal=? res=failed)' 'op=PAM:authentication acct="root" exe="/usr/bin/vlock" res=failed If this only happens in Enforcing mode then it could be an SELinux issue, but if it happens in permissive, you most likely have a different problem. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100312/337b0ad5/attachment-0001.html ^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] How to address USER_AUTH PAM authentication failure? - Problem solved 2010-03-12 13:22 ` Daniel J Walsh @ 2010-03-15 3:01 ` TaurusHarry 0 siblings, 0 replies; 5+ messages in thread From: TaurusHarry @ 2010-03-15 3:01 UTC (permalink / raw) To: refpolicy Date: Fri, 12 Mar 2010 08:22:22 -0500 From: dwalsh@redhat.com To: harrytaurus2002 at hotmail.com CC: refpolicy at oss1.tresys.com Subject: Re: [refpolicy] How to address USER_AUTH PAM authentication failure? On 03/11/2010 10:24 PM, TaurusHarry wrote: Date: Thu, 11 Mar 2010 08:24:11 -0500 From: dwalsh@redhat.com To: harrytaurus2002 at hotmail.com CC: refpolicy at oss1.tresys.com Subject: Re: [refpolicy] How to address USER_AUTH PAM authentication failure? On 03/10/2010 10:15 PM, TaurusHarry wrote: Hi SELinux experts, Thank you for reading my email, I am trying to write a SELinux pp for the vlock program(Virtual Console Locking program), so far I gets no more AVC denied messages in permissive mode and only one USER_AUTH failure message in Enforcing mode, what interface should I have added for the vlock_t domain? [root/sysadm_r/s0 at cp3020 ~]# date +%T 23:24:07 [root/sysadm_r/s0 at cp3020 ~]# vlock [root/sysadm_r/s0 at cp3020 ~]# newrole -r auditadm_r -l s15:c0.c255 -p -- -c "ausearch -sv no -ts 23:24:07 -se vlock_t" Password: ---- time->Wed Mar 10 23:24:54 2010 type=USER_AUTH msg=audit(1268263494.640:13155): user pid=3758 uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" (hostname=?, addr=?, terminal=? res=failed)' ---- time->W ed Mar 10 23:24:54 2010 type=USER_AUTH msg=audit(1268263494.644:13159): user pid=3758 uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" (hostname=?, addr=?, terminal=? res=failed)' [root/sysadm_r/s0 at cp3020 ~]# As you can see, in Enforcing mode the vlock just exits silently. If in permissive mode, the vlock program could be run successfully like below: [root/sysadm_r/s0 at cp3020 ~]# vlock *** This tty is not a VC (virtual console). *** *** It may not be securely locked. *** This TTY is now locked. Please enter the password to unlock. root's Password: [root/sysadm_r/s0 at cp3020 ~]# So the problem must be rooted in my vlock.pp, the .te file is attached at the bottom, how should I address above USER_AUTH failure? Thanks again! Best regards, Harry ---------- policy_module(vlock, 1.0.0) ######################################## # # Declarations # type vlock_t; type vlock_exec_t; application_domain(vlock_t,vlock_exec_t) ######################################## # # Vlock local policy # allow vlock_t self:fd use; allow vlock_t self:fifo_file rw_fifo_file_perms; allow vlock_t self:unix_dgram_socket { create connect }; allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; kernel_read_system_state(vlock_t) corecmd_list_bin(vlock_t) corecmd_read_bin_symlinks(vlock_t) files_read_etc_files(vlock_t) files_read_var_files(vlock_t) files_read_var_symlinks(vlock_t) term_use_all_user_ttys(vlock_t) term_use_all_user_ptys(vlock_t) auth_domtrans_chk_passwd(vlock_t) miscfiles_read_localization(vlock_t) logging_send_sy slog_msg(vlock_t) selinux_getattr_fs(vlock_t) ????? Windows Live Messenger ???????? ??? ?? ????? Windows Live Messenger ???????? ??? ?? _______________________________________________ refpolicy mailing list refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy semodule -DB Will turn off the dontaudit rules. From the error it looks like you have a problem accessing the terminal. ls -lZ `tty` Many thanks Daniel, then I added the call to the userdom_use_user_terminals() interface for the vlock_t domain and verified that vlock_t has enough access rights on the tty device: [root/secadm_r/s0 at cp3020 ~]# ls -Z `tty` crw--w---- harry tty staff_u:object_r:user_devpts_t:s0 /dev/pts/0 [root/secadm_r/s0 at cp3020 ~]# sesearch -SCA -s vlock_t -t user_devpts_t Found 1 semantic av rules: allow vlock_t user_devpts_t : chr_file { ioctl read write getattr open } ; [root/secadm_r/s0 at cp3020 ~]# However, unfortunately, I still get following USER_AUTH message with "terminal=?": type=USER_AUTH msg=audit(1268353015.904:16092): user pid=4260 uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" (hostname=?, addr=?, terminal=? res=failed)' So far I have called the following three interfaces related with terminal for vlock_t:! term_use_all_user_ttys(vlock_t) term_use_all_user_ptys(vlock_t) userdom_use_user_terminals(vlock_t) What else could I have missed? From the log of some other program such as run_init_t, I can see its USER_AUTH message is a success with terminal=pts/1, and only the userdom_use_user_terminals() interface has been called for run_init_t, I really don't get it why this same interface won't work for vlock_t. BTW, I have tried semodule -DB, but there is no more other AVC denied messages in the permissive mode and I could only get the above one USER_AUTH message in enforcing mode, so it seems I have to get over this USER_AUTH failure before I could move on to somewhere else. Thanks again! Harry ??Messenger???2.0????????? ?????? USER_AUTH is not an SELinux error message. It indicates that for what ever reason you PAM session failed. type=USER_AUTH msg=audit(1268353015.904:16092): user pid=4260 uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" (hostname=?, addr=?, terminal=? res=failed)' 'op=PAM:authentication acct="root" exe="/usr/bin/vlock" res=failed If this only happens in Enforcing mode then it could be an SELinux issue, but if it happens in permissive, you most likely have a different problem. --------------------------------- Hi Daniel, Yeah, this problem exists only in Enforcing mode, in permissive mode everything is fine but there is no helpful denied messages. Later I borrowed some interfaces called for newrole_t and run_init_t and finally found that once I applied the interface of domain_use_interactive_fds() for my vlock_t then vlock could work fine with below success message: time->Sun Mar 14 23:34:01 2010 type=CRED_REFR msg=audit(1268609641.096:831): user pid=2863 uid=0 auid=1000 ses=2 subj=staff_u:secadm_r:vlock_t:s0-s15:c0.c255 msg='op=PAM:setcred acct="root" exe="/usr/bin/vlock" (hostname=?, addr=?, terminal=pts/0 res=success)' I don't have a deep understanding about the role this interface could play for the called domain so far, but it does resolved my problem. Thanks for all your suggestioins! Best regards, Harry _________________________________________________________________ ???????????????? http://cn.bing.com/search?q=%E5%A4%A9%E6%B0%94%E9%A2%84%E6%8A%A5&form=MICHJ2 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100315/db731634/attachment.html ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-03-15 3:01 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-03-11 3:15 [refpolicy] How to address USER_AUTH PAM authentication failure? TaurusHarry 2010-03-11 13:24 ` Daniel J Walsh 2010-03-12 3:24 ` TaurusHarry 2010-03-12 13:22 ` Daniel J Walsh 2010-03-15 3:01 ` [refpolicy] How to address USER_AUTH PAM authentication failure? - Problem solved TaurusHarry
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.