[refpolicy] How to address USER_AUTH PAM authentication failure?

[refpolicy] How to address USER_AUTH PAM authentication failure?

[TaurusHarry]

Hi SELinux experts,

Thank you for reading my email, I am trying to write a SELinux pp for the vlock program(Virtual Console Locking program), so far I gets no more AVC denied messages in permissive mode and only one USER_AUTH failure message in Enforcing mode, what interface should I have added for the vlock_t domain?

   [root/sysadm_r/s0 at cp3020 ~]# date +%T
   23:24:07 
   [root/sysadm_r/s0 at cp3020 ~]# vlock
   [root/sysadm_r/s0 at cp3020 ~]# newrole -r auditadm_r -l s15:c0.c255 -p -- -c "ausearch -sv no -ts 23:24:07 -se vlock_t"
   Password: 
   ----
   time->Wed Mar 10 23:24:54 2010
   type=USER_AUTH msg=audit(1268263494.640:13155): user pid=3758 uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" (hostname=?, addr=?, terminal=? res=failed)'
   ----
   time->Wed Mar 10 23:24:54 2010
   type=USER_AUTH msg=audit(1268263494.644:13159): user pid=3758 uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" (hostname=?, addr=?, terminal=? res=failed)'
   [root/sysadm_r/s0 at cp3020 ~]# 

As you can see, in Enforcing mode the vlock just exits silently. If in permissive mode, the vlock program could be run successfully like below:

   [root/sysadm_r/s0 at cp3020 ~]# vlock
    *** This tty is not a VC (virtual console). ***
    *** It may not be securely locked. ***
   
   This TTY is now locked.
   Please enter the password to unlock.
   root's Password: 
   [root/sysadm_r/s0 at cp3020 ~]#

So the problem must be rooted in my vlock.pp, the .te file is attached at the bottom, how should I address above USER_AUTH failure?

Thanks again!

Best regards,
Harry


----------


policy_module(vlock, 1.0.0)

########################################
#
# Declarations
#

type vlock_t;
type vlock_exec_t;
application_domain(vlock_t,vlock_exec_t)


########################################
#
# Vlock local policy
#

allow vlock_t self:fd use;
allow vlock_t self:fifo_file rw_fifo_file_perms;
allow vlock_t self:unix_dgram_socket { create connect };
allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };

kernel_read_system_state(vlock_t)

corecmd_list_bin(vlock_t)
corecmd_read_bin_symlinks(vlock_t)

files_read_etc_files(vlock_t)
files_read_var_files(vlock_t)
files_read_var_symlinks(vlock_t)

term_use_all_user_ttys(vlock_t)
term_use_all_user_ptys(vlock_t)

auth_domtrans_chk_passwd(vlock_t)

miscfiles_read_localization(vlock_t)

logging_send_syslog_msg(vlock_t)

selinux_getattr_fs(vlock_t)

 		 	   		  
????? Windows Live Messenger ???????? ????? 		 	   		  
_________________________________________________________________
MSN????????????????25???????????2010?????????
http://kaba.msn.com.cn/?k=1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100311/63693348/attachment.html 

[refpolicy] How to address USER_AUTH PAM authentication failure?

[Daniel J Walsh]

On 03/10/2010 10:15 PM, TaurusHarry wrote:
> Hi SELinux experts,
>
> Thank you for reading my email, I am trying to write a SELinux pp for
> the vlock program(Virtual Console Locking program), so far I gets no
> more AVC denied messages in permissive mode and only one USER_AUTH
> failure message in Enforcing mode, what interface should I have added
> for the vlock_t domain?
>
> [root/sysadm_r/s0 at cp3020 ~]# date +%T
> 23:24:07
> [root/sysadm_r/s0 at cp3020 ~]# vlock
> [root/sysadm_r/s0 at cp3020 ~]# newrole -r auditadm_r -l s15:c0.c255 -p
> -- -c "ausearch -sv no -ts 23:24:07 -se vlock_t"
> Password:
> ----
> time->Wed Mar 10 23:24:54 2010
> type=USER_AUTH msg=audit(1268263494.640:13155): user pid=3758 uid=0
> auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
> msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
> (hostname=?, addr=?, terminal=? res=failed)'
> ----
> time->W ed Mar 10 23:24:54 2010
> type=USER_AUTH msg=audit(1268263494.644:13159): user pid=3758 uid=0
> auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
> msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
> (hostname=?, addr=?, terminal=? res=failed)'
> [root/sysadm_r/s0 at cp3020 ~]#
>
> As you can see, in Enforcing mode the vlock just exits silently. If in
> permissive mode, the vlock program could be run successfully like below:
>
> [root/sysadm_r/s0 at cp3020 ~]# vlock
> *** This tty is not a VC (virtual console). ***
> *** It may not be securely locked. ***
>
> This TTY is now locked.
> Please enter the password to unlock.
> root's Password:
> [root/sysadm_r/s0 at cp3020 ~]#
>
> So the problem must be rooted in my vlock.pp, the .te file is attached
> at the bottom, how should I address above USER_AUTH failure?
> *Thanks again!
>
> Best regards,
> Harry
>
>
> ----------
>
>
> policy_module(vlock, 1.0.0)
>
> ########################################
> #
> # Declarations
> #
>
> type vlock_t;
> type vlock_exec_t;
> application_domain(vlock_t,vlock_exec_t)
>
>
> ########################################
> #
> # Vlock local policy
> #
>
> allow vlock_t self:fd use;
> allow vlock_t self:fifo_file rw_fifo_file_perms;
> allow vlock_t self:unix_dgram_socket { create connect };
> allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms
> nlmsg_relay };
>
> kernel_read_system_state(vlock_t)
>
> corecmd_list_bin(vlock_t)
> corecmd_read_bin_symlinks(vlock_t)
>
> files_read_etc_files(vlock_t)
> files_read_var_files(vlock_t)
> files_read_var_symlinks(vlock_t)
>
> term_use_all_user_ttys(vlock_t)
> term_use_all_user_ptys(vlock_t)
>
> auth_domtrans_chk_passwd(vlock_t)
>
> miscfiles_read_localization(vlock_t)
>
> logging_send_sy slog_msg(vlock_t)
>
> selinux_getattr_fs(vlock_t)
>
>
> *
> ------------------------------------------------------------------------
> *????? Windows Live Messenger ???????? ?????
> <http://www.windowslive.cn/messenger/>
> *
> ------------------------------------------------------------------------
> *????? Windows Live Messenger ???????? ?????
> <http://www.windowslive.cn/messenger/>*
> *
> *
>
> *
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> *
semodule -DB

Will turn off the dontaudit rules. From the error it looks like you have
a problem accessing the terminal.

ls -lZ `tty`

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100311/a4d3a7d4/attachment.html 

[refpolicy] How to address USER_AUTH PAM authentication failure?

[TaurusHarry]

Date: Thu, 11 Mar 2010 08:24:11 -0500
From: dwalsh@redhat.com
To: harrytaurus2002 at hotmail.com
CC: refpolicy at oss1.tresys.com
Subject: Re: [refpolicy] How to address USER_AUTH PAM authentication failure?






  


On 03/10/2010 10:15 PM, TaurusHarry wrote:

  
  Hi SELinux experts,

  

Thank you for reading my email, I am trying to write a SELinux pp for
the vlock program(Virtual Console Locking program), so far I gets no
more AVC denied messages in permissive mode and only one USER_AUTH
failure message in Enforcing mode, what interface should I have added
for the vlock_t domain?

  

   [root/sysadm_r/s0 at cp3020 ~]# date +%T

   23:24:07 

   [root/sysadm_r/s0 at cp3020 ~]# vlock

   [root/sysadm_r/s0 at cp3020 ~]# newrole -r auditadm_r -l s15:c0.c255 -p
-- -c "ausearch -sv no -ts 23:24:07 -se vlock_t"

   Password: 

   ----

   time->Wed Mar 10 23:24:54 2010

   type=USER_AUTH msg=audit(1268263494.640:13155): user pid=3758 uid=0
auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
(hostname=?, addr=?, terminal=? res=failed)'

   ----

   time->W ed Mar 10 23:24:54 2010

   type=USER_AUTH msg=audit(1268263494.644:13159): user pid=3758 uid=0
auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
(hostname=?, addr=?, terminal=? res=failed)'

   [root/sysadm_r/s0 at cp3020 ~]# 

  

As you can see, in Enforcing mode the vlock just exits silently. If in
permissive mode, the vlock program could be run successfully like below:

  

   [root/sysadm_r/s0 at cp3020 ~]# vlock

    *** This tty is not a VC (virtual console). ***

    *** It may not be securely locked. ***

   

   This TTY is now locked.

   Please enter the password to unlock.

   root's Password: 

   [root/sysadm_r/s0 at cp3020 ~]#

  

So the problem must be rooted in my vlock.pp, the .te file is attached
at the bottom, how should I address above USER_AUTH failure?

  Thanks again!

  

Best regards,

Harry

  

  

----------

  

  

policy_module(vlock, 1.0.0)

  

########################################

#

# Declarations

#

  

type vlock_t;

type vlock_exec_t;

application_domain(vlock_t,vlock_exec_t)

  

  

########################################

#

# Vlock local policy

#

  

allow vlock_t self:fd use;

allow vlock_t self:fifo_file rw_fifo_file_perms;

allow vlock_t self:unix_dgram_socket { create connect };

allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms
nlmsg_relay };

  

kernel_read_system_state(vlock_t)

  

corecmd_list_bin(vlock_t)

corecmd_read_bin_symlinks(vlock_t)

  

files_read_etc_files(vlock_t)

files_read_var_files(vlock_t)

files_read_var_symlinks(vlock_t)

  

term_use_all_user_ttys(vlock_t)

term_use_all_user_ptys(vlock_t)

  

auth_domtrans_chk_passwd(vlock_t)

  

miscfiles_read_localization(vlock_t)

  

logging_send_sy slog_msg(vlock_t)

  

selinux_getattr_fs(vlock_t)

  

  

  
  ????? Windows Live Messenger ???????? ???
?? 

  
  ????? Windows Live Messenger ???????? ?????
  

_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy


semodule -DB



Will turn off the dontaudit rules.  From the error it looks like you
have a problem accessing the terminal.



ls -lZ `tty`


Many thanks Daniel, then I added the call to the userdom_use_user_terminals() interface for the vlock_t domain and verified that vlock_t has enough access rights on the tty device:

[root/secadm_r/s0 at cp3020 ~]# ls -Z `tty`
crw--w----  harry tty staff_u:object_r:user_devpts_t:s0 /dev/pts/0
[root/secadm_r/s0 at cp3020 ~]# sesearch  -SCA -s vlock_t -t user_devpts_t
Found 1 semantic av rules:
   allow vlock_t user_devpts_t : chr_file { ioctl read write getattr open } ; 

[root/secadm_r/s0 at cp3020 ~]#

However, unfortunately, I still get following USER_AUTH message with "terminal=?":

type=USER_AUTH msg=audit(1268353015.904:16092): user pid=4260 uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" (hostname=?, addr=?, terminal=? res=failed)'

So far I have called the following three interfaces related with terminal for vlock_t:

term_use_all_user_ttys(vlock_t)

term_use_all_user_ptys(vlock_t)

userdom_use_user_terminals(vlock_t)

What else could I have missed? From the log of some other program such as run_init_t, I can see its USER_AUTH message is a success with terminal=pts/1, and only the userdom_use_user_terminals() interface has been called for run_init_t, I really don't get it why this same interface won't work for vlock_t.

BTW, I have tried semodule -DB, but there is no more other AVC denied messages in the permissive mode and I could only get the above one USER_AUTH message in enforcing mode, so it seems I have to get over this USER_AUTH failure before I could move on to somewhere else.

Thanks again!
Harry







 		 	   		  
_________________________________________________________________
?????????Windows Live?????????
http://windowslivesky.spaces.live.com/blog/cns!5892B6048E2498BD!889.entry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100312/cba1bdfa/attachment.html 

[refpolicy] How to address USER_AUTH PAM authentication failure?

[Daniel J Walsh]

On 03/11/2010 10:24 PM, TaurusHarry wrote:
>
>
> ------------------------------------------------------------------------
> Date: Thu, 11 Mar 2010 08:24:11 -0500
> From: dwalsh at redhat.com
> To: harrytaurus2002 at hotmail.com
> CC: refpolicy at oss1.tresys.com
> Subject: Re: [refpolicy] How to address USER_AUTH PAM authentication
> failure?
>
> On 03/10/2010 10:15 PM, TaurusHarry wrote:
>
>     Hi SELinux experts,
>
>     Thank you for reading my email, I am trying to write a SELinux pp
>     for the vlock program(Virtual Console Locking program), so far I
>     gets no more AVC denied messages in permissive mode and only one
>     USER_AUTH failure message in Enforcing mode, what interface should
>     I have added for the vlock_t domain?
>
>     [root/sysadm_r/s0 at cp3020 ~]# date +%T
>     23:24:07
>     [root/sysadm_r/s0 at cp3020 ~]# vlock
>     [root/sysadm_r/s0 at cp3020 ~]# newrole -r auditadm_r -l s15:c0.c255
>     -p -- -c "ausearch -sv no -ts 23:24:07 -se vlock_t"
>     Password:
>     ----
>     time->Wed Mar 10 23:24:54 2010
>     type=USER_AUTH msg=audit(1268263494.640:13155): user pid=3758
>     uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
>     msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
>     (hostname=?, addr=?, terminal=? res=failed)'
>     ----
>     time->W ed Mar 10 23:24:54 2010
>     type=USER_AUTH msg=audit(1268263494.644:13159): user pid=3758
>     uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
>     msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
>     (hostname=?, addr=?, terminal=? res=failed)'
>     [root/sysadm_r/s0 at cp3020 ~]#
>
>     As you can see, in Enforcing mode the vlock just exits silently.
>     If in permissive mode, the vlock program could be run successfully
>     like below:
>
>     [root/sysadm_r/s0 at cp3020 ~]# vlock
>     *** This tty is not a VC (virtual console). ***
>     *** It may not be securely locked. ***
>
>     This TTY is now locked.
>     Please enter the password to unlock.
>     root's Password:
>     [root/sysadm_r/s0 at cp3020 ~]#
>
>     So the problem must be rooted in my vlock.pp, the .te file is
>     attached at the bottom, how should I address above USER_AUTH failure?
>     *Thanks again!
>
>     Best regards,
>     Harry
>
>
>     ----------
>
>
>     policy_module(vlock, 1.0.0)
>
>     ########################################
>     #
>     # Declarations
>     #
>
>     type vlock_t;
>     type vlock_exec_t;
>     application_domain(vlock_t,vlock_exec_t)
>
>
>     ########################################
>     #
>     # Vlock local policy
>     #
>
>     allow vlock_t self:fd use;
>     allow vlock_t self:fifo_file rw_fifo_file_perms;
>     allow vlock_t self:unix_dgram_socket { create connect };
>     allow vlock_t self:netlink_audit_socket {
>     create_netlink_socket_perms nlmsg_relay };
>
>     kernel_read_system_state(vlock_t)
>
>     corecmd_list_bin(vlock_t)
>     corecmd_read_bin_symlinks(vlock_t)
>
>     files_read_etc_files(vlock_t)
>     files_read_var_files(vlock_t)
>     files_read_var_symlinks(vlock_t)
>
>     term_use_all_user_ttys(vlock_t)
>     term_use_all_user_ptys(vlock_t)
>
>     auth_domtrans_chk_passwd(vlock_t)
>
>     miscfiles_read_localization(vlock_t)
>
>     logging_send_sy slog_msg(vlock_t)
>
>     selinux_getattr_fs(vlock_t)
>
>
>     *
>     ------------------------------------------------------------------------
>     *????? Windows Live Messenger ???????? ?????
>     <http://www.windowslive.cn/messenger/>
>     *
>     ------------------------------------------------------------------------
>     *????? Windows Live Messenger ???????? ?????
>     <http://www.windowslive.cn/messenger/>*
>
>     *
>     *
>
>     *
>     _______________________________________________
>     refpolicy mailing list
>     refpolicy at oss.tresys.com <mailto:refpolicy@oss.tresys.com>
>     http://oss.tresys.com/mailman/listinfo/refpolicy
>     *
>
> semodule -DB
>
> Will turn off the dontaudit rules. From the error it looks like you
> have a problem accessing the terminal.
>
> ls -lZ `tty`
>
>
> Many thanks Daniel, then I added the call to the
> userdom_use_user_terminals() interface for the vlock_t domain and
> verified that vlock_t has enough access rights on the tty device:
>
> [root/secadm_r/s0 at cp3020 ~]# ls -Z `tty`
> crw--w---- harry tty staff_u:object_r:user_devpts_t:s0 /dev/pts/0
> [root/secadm_r/s0 at cp3020 ~]# sesearch -SCA -s vlock_t -t user_devpts_t
> Found 1 semantic av rules:
> allow vlock_t user_devpts_t : chr_file { ioctl read write getattr open
> } ;
>
> [root/secadm_r/s0 at cp3020 ~]#
>
> However, unfortunately, I still get following USER_AUTH message with
> "terminal=?":
>
> type=USER_AUTH msg=audit(1268353015.904:16092): user pid=4260 uid=0
> auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
> msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
> (hostname=?, addr=?, terminal=? res=failed)'
>
> So far I have called the following three interfaces related with
> terminal for vlock_t:!
>
> term_use_all_user_ttys(vlock_t)
> term_use_all_user_ptys(vlock_t)
> userdom_use_user_terminals(vlock_t)
>
> What else could I have missed? From the log of some other program such
> as run_init_t, I can see its USER_AUTH message is a success with
> terminal=pts/1, and only the userdom_use_user_terminals() interface
> has been called for run_init_t, I really don't get it why this same
> interface won't work for vlock_t.
>
> BTW, I have tried semodule -DB, but there is no more other AVC denied
> messages in the permissive mode and I could only get the above one
> USER_AUTH message in enforcing mode, so it seems I have to get over
> this USER_AUTH failure before I could move on to somewhere else.
>
> Thanks again!
> Harry
>
>
>
>
>
>
>
> ------------------------------------------------------------------------
> ??Messenger???2.0????????? ??????
> <http://www.windowslive.cn/safe/>
USER_AUTH is not an SELinux error message. It indicates that for what
ever reason you PAM session failed.

type=USER_AUTH msg=audit(1268353015.904:16092): user pid=4260 uid=0
auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" (hostname=?,
addr=?, terminal=? res=failed)'

'op=PAM:authentication acct="root" exe="/usr/bin/vlock" res=failed

If this only happens in Enforcing mode then it could be an SELinux
issue, but if it happens in permissive, you most likely have a different
problem.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100312/337b0ad5/attachment-0001.html 

[refpolicy] How to address USER_AUTH PAM authentication failure? - Problem solved

[TaurusHarry]

Date: Fri, 12 Mar 2010 08:22:22 -0500
From: dwalsh@redhat.com
To: harrytaurus2002 at hotmail.com
CC: refpolicy at oss1.tresys.com
Subject: Re: [refpolicy] How to address USER_AUTH PAM authentication failure?






  
  


On 03/11/2010 10:24 PM, TaurusHarry wrote:

  

  

  Date: Thu, 11 Mar 2010 08:24:11 -0500

From: dwalsh@redhat.com

To: harrytaurus2002 at hotmail.com

CC: refpolicy at oss1.tresys.com

Subject: Re: [refpolicy] How to address USER_AUTH PAM authentication
failure?

  

On 03/10/2010 10:15 PM, TaurusHarry wrote:
  
    
    Hi SELinux experts,

    

Thank you for reading my email, I am trying to write a SELinux pp for
the vlock program(Virtual Console Locking program), so far I gets no
more AVC denied messages in permissive mode and only one USER_AUTH
failure message in Enforcing mode, what interface should I have added
for the vlock_t domain?

    

   [root/sysadm_r/s0 at cp3020 ~]# date +%T

   23:24:07 

   [root/sysadm_r/s0 at cp3020 ~]# vlock

   [root/sysadm_r/s0 at cp3020 ~]# newrole -r auditadm_r -l s15:c0.c255 -p
-- -c "ausearch -sv no -ts 23:24:07 -se vlock_t"

   Password: 

   ----

   time->Wed Mar 10 23:24:54 2010

   type=USER_AUTH msg=audit(1268263494.640:13155): user pid=3758 uid=0
auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
(hostname=?, addr=?, terminal=? res=failed)'

   ----

   time->W ed Mar 10 23:24:54 2010

   type=USER_AUTH msg=audit(1268263494.644:13159): user pid=3758 uid=0
auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
(hostname=?, addr=?, terminal=? res=failed)'

   [root/sysadm_r/s0 at cp3020 ~]# 

    

As you can see, in Enforcing mode the vlock just exits silently. If in
permissive mode, the vlock program could be run successfully like below:

    

   [root/sysadm_r/s0 at cp3020 ~]# vlock

    *** This tty is not a VC (virtual console). ***

    *** It may not be securely locked. ***

   

   This TTY is now locked.

   Please enter the password to unlock.

   root's Password: 

   [root/sysadm_r/s0 at cp3020 ~]#

    

So the problem must be rooted in my vlock.pp, the .te file is attached
at the bottom, how should I address above USER_AUTH failure?

    Thanks again!

    

Best regards,

Harry

    

    

----------

    

    

policy_module(vlock, 1.0.0)

    

########################################

#

# Declarations

#

    

type vlock_t;

type vlock_exec_t;

application_domain(vlock_t,vlock_exec_t)

    

    

########################################

#

# Vlock local policy

#

    

allow vlock_t self:fd use;

allow vlock_t self:fifo_file rw_fifo_file_perms;

allow vlock_t self:unix_dgram_socket { create connect };

allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms
nlmsg_relay };

    

kernel_read_system_state(vlock_t)

    

corecmd_list_bin(vlock_t)

corecmd_read_bin_symlinks(vlock_t)

    

files_read_etc_files(vlock_t)

files_read_var_files(vlock_t)

files_read_var_symlinks(vlock_t)

    

term_use_all_user_ttys(vlock_t)

term_use_all_user_ptys(vlock_t)

    

auth_domtrans_chk_passwd(vlock_t)

    

miscfiles_read_localization(vlock_t)

    

logging_send_sy slog_msg(vlock_t)

    

selinux_getattr_fs(vlock_t)

    

    

    
    ????? Windows Live Messenger ???????? ???
?? 

    
    ????? Windows Live Messenger ???????? ???
??
    

_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy

  
semodule -DB

  

Will turn off the dontaudit rules.  From the error it looks like you
have a problem accessing the terminal.

  

ls -lZ `tty`

  

  

Many thanks Daniel, then I added the call to the
userdom_use_user_terminals() interface for the vlock_t domain and
verified that vlock_t has enough access rights on the tty device:

  

[root/secadm_r/s0 at cp3020 ~]# ls -Z `tty`

crw--w----  harry tty staff_u:object_r:user_devpts_t:s0 /dev/pts/0

[root/secadm_r/s0 at cp3020 ~]# sesearch  -SCA -s vlock_t -t user_devpts_t

Found 1 semantic av rules:

   allow vlock_t user_devpts_t : chr_file { ioctl read write getattr
open } ; 

  

[root/secadm_r/s0 at cp3020 ~]#

  

However, unfortunately, I still get following USER_AUTH message with
"terminal=?":

  

type=USER_AUTH msg=audit(1268353015.904:16092): user pid=4260 uid=0
auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
(hostname=?, addr=?, terminal=? res=failed)'

  

So far I have called the following three interfaces related with
terminal for vlock_t:! 

  

term_use_all_user_ttys(vlock_t)

term_use_all_user_ptys(vlock_t)

userdom_use_user_terminals(vlock_t)

  

What else could I have missed? From the log of some other program such
as run_init_t, I can see its USER_AUTH message is a success with
terminal=pts/1, and only the userdom_use_user_terminals() interface has
been called for run_init_t, I really don't get it why this same
interface won't work for vlock_t.

  

BTW, I have tried semodule -DB, but there is no more other AVC denied
messages in the permissive mode and I could only get the above one
USER_AUTH message in enforcing mode, so it seems I have to get over
this USER_AUTH failure before I could move on to somewhere else.

  

Thanks again!

Harry

  

  

  

  

  

  

  

  ??Messenger???2.0????????? ??????
USER_AUTH is not an SELinux error message.  It indicates that for what
ever reason you PAM session failed.



type=USER_AUTH msg=audit(1268353015.904:16092): user pid=4260 uid=0
auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255
msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock"
(hostname=?, addr=?, terminal=? res=failed)'



'op=PAM:authentication acct="root" exe="/usr/bin/vlock"  res=failed



If this only happens in Enforcing mode then it could be an SELinux
issue, but if it happens in permissive, you most likely have a
different problem.



---------------------------------


Hi Daniel,

Yeah, this problem exists only in Enforcing mode, in permissive mode everything is fine but there is no helpful denied messages.  Later I borrowed some interfaces called for newrole_t and run_init_t and finally found that once I applied the interface of domain_use_interactive_fds() for my vlock_t then vlock could work fine with below success message:

time->Sun Mar 14 23:34:01 2010
type=CRED_REFR msg=audit(1268609641.096:831): user pid=2863 uid=0 auid=1000 ses=2 subj=staff_u:secadm_r:vlock_t:s0-s15:c0.c255 msg='op=PAM:setcred acct="root" exe="/usr/bin/vlock" (hostname=?, addr=?, terminal=pts/0 res=success)'

I don't have a deep understanding about the role this interface could play for the called domain so far, but it does resolved my problem. Thanks for all your suggestioins!

Best regards,
Harry






 		 	   		  
_________________________________________________________________
????????????????
http://cn.bing.com/search?q=%E5%A4%A9%E6%B0%94%E9%A2%84%E6%8A%A5&form=MICHJ2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100315/db731634/attachment.html