From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] How to address USER_AUTH PAM authentication failure?
Date: Fri, 12 Mar 2010 08:22:22 -0500 [thread overview]
Message-ID: <4B9A400E.3040909@redhat.com> (raw)
In-Reply-To: <BAY111-W19393E335D9BD6AF5F801AAB310@phx.gbl>
On 03/11/2010 10:24 PM, TaurusHarry wrote:
>
>
> ------------------------------------------------------------------------
> Date: Thu, 11 Mar 2010 08:24:11 -0500
> From: dwalsh at redhat.com
> To: harrytaurus2002 at hotmail.com
> CC: refpolicy at oss1.tresys.com
> Subject: Re: [refpolicy] How to address USER_AUTH PAM authentication
> failure?
>
> On 03/10/2010 10:15 PM, TaurusHarry wrote:
>
> Hi SELinux experts,
>
> Thank you for reading my email, I am trying to write a SELinux pp
> for the vlock program(Virtual Console Locking program), so far I
> gets no more AVC denied messages in permissive mode and only one
> USER_AUTH failure message in Enforcing mode, what interface should
> I have added for the vlock_t domain?
>
> [root/sysadm_r/s0 at cp3020 ~]# date +%T
> 23:24:07
> [root/sysadm_r/s0 at cp3020 ~]# vlock
> [root/sysadm_r/s0 at cp3020 ~]# newrole -r auditadm_r -l s15:c0.c255
> -p -- -c "ausearch -sv no -ts 23:24:07 -se vlock_t"
> Password:
> ----
> time->Wed Mar 10 23:24:54 2010
> type=USER_AUTH msg=audit(1268263494.640:13155): user pid=3758
> uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
> msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
> (hostname=?, addr=?, terminal=? res=failed)'
> ----
> time->W ed Mar 10 23:24:54 2010
> type=USER_AUTH msg=audit(1268263494.644:13159): user pid=3758
> uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
> msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
> (hostname=?, addr=?, terminal=? res=failed)'
> [root/sysadm_r/s0 at cp3020 ~]#
>
> As you can see, in Enforcing mode the vlock just exits silently.
> If in permissive mode, the vlock program could be run successfully
> like below:
>
> [root/sysadm_r/s0 at cp3020 ~]# vlock
> *** This tty is not a VC (virtual console). ***
> *** It may not be securely locked. ***
>
> This TTY is now locked.
> Please enter the password to unlock.
> root's Password:
> [root/sysadm_r/s0 at cp3020 ~]#
>
> So the problem must be rooted in my vlock.pp, the .te file is
> attached at the bottom, how should I address above USER_AUTH failure?
> *Thanks again!
>
> Best regards,
> Harry
>
>
> ----------
>
>
> policy_module(vlock, 1.0.0)
>
> ########################################
> #
> # Declarations
> #
>
> type vlock_t;
> type vlock_exec_t;
> application_domain(vlock_t,vlock_exec_t)
>
>
> ########################################
> #
> # Vlock local policy
> #
>
> allow vlock_t self:fd use;
> allow vlock_t self:fifo_file rw_fifo_file_perms;
> allow vlock_t self:unix_dgram_socket { create connect };
> allow vlock_t self:netlink_audit_socket {
> create_netlink_socket_perms nlmsg_relay };
>
> kernel_read_system_state(vlock_t)
>
> corecmd_list_bin(vlock_t)
> corecmd_read_bin_symlinks(vlock_t)
>
> files_read_etc_files(vlock_t)
> files_read_var_files(vlock_t)
> files_read_var_symlinks(vlock_t)
>
> term_use_all_user_ttys(vlock_t)
> term_use_all_user_ptys(vlock_t)
>
> auth_domtrans_chk_passwd(vlock_t)
>
> miscfiles_read_localization(vlock_t)
>
> logging_send_sy slog_msg(vlock_t)
>
> selinux_getattr_fs(vlock_t)
>
>
> *
> ------------------------------------------------------------------------
> *????? Windows Live Messenger ???????? ?????
> <http://www.windowslive.cn/messenger/>
> *
> ------------------------------------------------------------------------
> *????? Windows Live Messenger ???????? ?????
> <http://www.windowslive.cn/messenger/>*
>
> *
> *
>
> *
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com <mailto:refpolicy@oss.tresys.com>
> http://oss.tresys.com/mailman/listinfo/refpolicy
> *
>
> semodule -DB
>
> Will turn off the dontaudit rules. From the error it looks like you
> have a problem accessing the terminal.
>
> ls -lZ `tty`
>
>
> Many thanks Daniel, then I added the call to the
> userdom_use_user_terminals() interface for the vlock_t domain and
> verified that vlock_t has enough access rights on the tty device:
>
> [root/secadm_r/s0 at cp3020 ~]# ls -Z `tty`
> crw--w---- harry tty staff_u:object_r:user_devpts_t:s0 /dev/pts/0
> [root/secadm_r/s0 at cp3020 ~]# sesearch -SCA -s vlock_t -t user_devpts_t
> Found 1 semantic av rules:
> allow vlock_t user_devpts_t : chr_file { ioctl read write getattr open
> } ;
>
> [root/secadm_r/s0 at cp3020 ~]#
>
> However, unfortunately, I still get following USER_AUTH message with
> "terminal=?":
>
> type=USER_AUTH msg=audit(1268353015.904:16092): user pid=4260 uid=0
> auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
> msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
> (hostname=?, addr=?, terminal=? res=failed)'
>
> So far I have called the following three interfaces related with
> terminal for vlock_t:!
>
> term_use_all_user_ttys(vlock_t)
> term_use_all_user_ptys(vlock_t)
> userdom_use_user_terminals(vlock_t)
>
> What else could I have missed? From the log of some other program such
> as run_init_t, I can see its USER_AUTH message is a success with
> terminal=pts/1, and only the userdom_use_user_terminals() interface
> has been called for run_init_t, I really don't get it why this same
> interface won't work for vlock_t.
>
> BTW, I have tried semodule -DB, but there is no more other AVC denied
> messages in the permissive mode and I could only get the above one
> USER_AUTH message in enforcing mode, so it seems I have to get over
> this USER_AUTH failure before I could move on to somewhere else.
>
> Thanks again!
> Harry
>
>
>
>
>
>
>
> ------------------------------------------------------------------------
> ??Messenger???2.0????????? ??????
> <http://www.windowslive.cn/safe/>
USER_AUTH is not an SELinux error message. It indicates that for what
ever reason you PAM session failed.
type=USER_AUTH msg=audit(1268353015.904:16092): user pid=4260 uid=0
auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" (hostname=?,
addr=?, terminal=? res=failed)'
'op=PAM:authentication acct="root" exe="/usr/bin/vlock" res=failed
If this only happens in Enforcing mode then it could be an SELinux
issue, but if it happens in permissive, you most likely have a different
problem.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100312/337b0ad5/attachment-0001.html
next prev parent reply other threads:[~2010-03-12 13:22 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-11 3:15 [refpolicy] How to address USER_AUTH PAM authentication failure? TaurusHarry
2010-03-11 13:24 ` Daniel J Walsh
2010-03-12 3:24 ` TaurusHarry
2010-03-12 13:22 ` Daniel J Walsh [this message]
2010-03-15 3:01 ` [refpolicy] How to address USER_AUTH PAM authentication failure? - Problem solved TaurusHarry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B9A400E.3040909@redhat.com \
--to=dwalsh@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.