From mboxrd@z Thu Jan 1 00:00:00 1970 From: dwalsh@redhat.com (Daniel J Walsh) Date: Fri, 12 Mar 2010 08:22:22 -0500 Subject: [refpolicy] How to address USER_AUTH PAM authentication failure? In-Reply-To: References: , <4B98EEFB.9050206@redhat.com> Message-ID: <4B9A400E.3040909@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/11/2010 10:24 PM, TaurusHarry wrote: > > > ------------------------------------------------------------------------ > Date: Thu, 11 Mar 2010 08:24:11 -0500 > From: dwalsh at redhat.com > To: harrytaurus2002 at hotmail.com > CC: refpolicy at oss1.tresys.com > Subject: Re: [refpolicy] How to address USER_AUTH PAM authentication > failure? > > On 03/10/2010 10:15 PM, TaurusHarry wrote: > > Hi SELinux experts, > > Thank you for reading my email, I am trying to write a SELinux pp > for the vlock program(Virtual Console Locking program), so far I > gets no more AVC denied messages in permissive mode and only one > USER_AUTH failure message in Enforcing mode, what interface should > I have added for the vlock_t domain? > > [root/sysadm_r/s0 at cp3020 ~]# date +%T > 23:24:07 > [root/sysadm_r/s0 at cp3020 ~]# vlock > [root/sysadm_r/s0 at cp3020 ~]# newrole -r auditadm_r -l s15:c0.c255 > -p -- -c "ausearch -sv no -ts 23:24:07 -se vlock_t" > Password: > ---- > time->Wed Mar 10 23:24:54 2010 > type=USER_AUTH msg=audit(1268263494.640:13155): user pid=3758 > uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 > msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" > (hostname=?, addr=?, terminal=? res=failed)' > ---- > time->W ed Mar 10 23:24:54 2010 > type=USER_AUTH msg=audit(1268263494.644:13159): user pid=3758 > uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 > msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" > (hostname=?, addr=?, terminal=? res=failed)' > [root/sysadm_r/s0 at cp3020 ~]# > > As you can see, in Enforcing mode the vlock just exits silently. > If in permissive mode, the vlock program could be run successfully > like below: > > [root/sysadm_r/s0 at cp3020 ~]# vlock > *** This tty is not a VC (virtual console). *** > *** It may not be securely locked. *** > > This TTY is now locked. > Please enter the password to unlock. > root's Password: > [root/sysadm_r/s0 at cp3020 ~]# > > So the problem must be rooted in my vlock.pp, the .te file is > attached at the bottom, how should I address above USER_AUTH failure? > *Thanks again! > > Best regards, > Harry > > > ---------- > > > policy_module(vlock, 1.0.0) > > ######################################## > # > # Declarations > # > > type vlock_t; > type vlock_exec_t; > application_domain(vlock_t,vlock_exec_t) > > > ######################################## > # > # Vlock local policy > # > > allow vlock_t self:fd use; > allow vlock_t self:fifo_file rw_fifo_file_perms; > allow vlock_t self:unix_dgram_socket { create connect }; > allow vlock_t self:netlink_audit_socket { > create_netlink_socket_perms nlmsg_relay }; > > kernel_read_system_state(vlock_t) > > corecmd_list_bin(vlock_t) > corecmd_read_bin_symlinks(vlock_t) > > files_read_etc_files(vlock_t) > files_read_var_files(vlock_t) > files_read_var_symlinks(vlock_t) > > term_use_all_user_ttys(vlock_t) > term_use_all_user_ptys(vlock_t) > > auth_domtrans_chk_passwd(vlock_t) > > miscfiles_read_localization(vlock_t) > > logging_send_sy slog_msg(vlock_t) > > selinux_getattr_fs(vlock_t) > > > * > ------------------------------------------------------------------------ > *????? Windows Live Messenger ???????? ????? > > * > ------------------------------------------------------------------------ > *????? Windows Live Messenger ???????? ????? > * > > * > * > > * > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > * > > semodule -DB > > Will turn off the dontaudit rules. From the error it looks like you > have a problem accessing the terminal. > > ls -lZ `tty` > > > Many thanks Daniel, then I added the call to the > userdom_use_user_terminals() interface for the vlock_t domain and > verified that vlock_t has enough access rights on the tty device: > > [root/secadm_r/s0 at cp3020 ~]# ls -Z `tty` > crw--w---- harry tty staff_u:object_r:user_devpts_t:s0 /dev/pts/0 > [root/secadm_r/s0 at cp3020 ~]# sesearch -SCA -s vlock_t -t user_devpts_t > Found 1 semantic av rules: > allow vlock_t user_devpts_t : chr_file { ioctl read write getattr open > } ; > > [root/secadm_r/s0 at cp3020 ~]# > > However, unfortunately, I still get following USER_AUTH message with > "terminal=?": > > type=USER_AUTH msg=audit(1268353015.904:16092): user pid=4260 uid=0 > auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 > msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" > (hostname=?, addr=?, terminal=? res=failed)' > > So far I have called the following three interfaces related with > terminal for vlock_t:! > > term_use_all_user_ttys(vlock_t) > term_use_all_user_ptys(vlock_t) > userdom_use_user_terminals(vlock_t) > > What else could I have missed? From the log of some other program such > as run_init_t, I can see its USER_AUTH message is a success with > terminal=pts/1, and only the userdom_use_user_terminals() interface > has been called for run_init_t, I really don't get it why this same > interface won't work for vlock_t. > > BTW, I have tried semodule -DB, but there is no more other AVC denied > messages in the permissive mode and I could only get the above one > USER_AUTH message in enforcing mode, so it seems I have to get over > this USER_AUTH failure before I could move on to somewhere else. > > Thanks again! > Harry > > > > > > > > ------------------------------------------------------------------------ > ??Messenger???2.0????????? ?????? > USER_AUTH is not an SELinux error message. It indicates that for what ever reason you PAM session failed. type=USER_AUTH msg=audit(1268353015.904:16092): user pid=4260 uid=0 auid=501 ses=3 subj=staff_u:sysadm_r:vlock_t:s0-s15:c0.c255 msg='op=PAM:authentication acct="root" exe="/usr/bin/vlock" (hostname=?, addr=?, terminal=? res=failed)' 'op=PAM:authentication acct="root" exe="/usr/bin/vlock" res=failed If this only happens in Enforcing mode then it could be an SELinux issue, but if it happens in permissive, you most likely have a different problem. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20100312/337b0ad5/attachment-0001.html