From: "Christopher J. PeBenito" <cpebenito@tresys.com>
To: Andy Ruch <adruch2002@yahoo.com>
Cc: SELinux ML <selinux@tycho.nsa.gov>
Subject: Re: SELinux errors with pam_faillock
Date: Fri, 26 Apr 2013 07:56:45 -0400 [thread overview]
Message-ID: <517A6B7D.7020202@tresys.com> (raw)
In-Reply-To: <1366925707.22597.YahooMailNeo@web163405.mail.gq1.yahoo.com>
On 04/25/13 17:35, Andy Ruch wrote:
> I'm receiving some SELinux errors related to the pam_faillock module. I'm running RHEL 6.3 with a custom policy based on the reference policy.
>
> When a user enters an incorrect password, the pam faillock module will track it with a file in /var/run/faillock/<user>. This is being applied whenever the user enters their password (i.e. console login, newrole, sudo). Everything works appropriately for the console login. For newrole and sudo, I'm getting errors when the /var/run/faillock/<user> file is trying to be created. Basically, newrole_t and <role>_sudo_t don't have permission to create files in a faillog_t dir.
>
> I found a rule in 'selinuxutil.te' allowing newrole_t to read/write to faillog: "auth_rw_faillog(newrole_t)". However, this rule only allows writing if the file already exists. It doesn't address if the faillock file needs to be created.
faillog_t was really only oriented towards /var/log/faillog only. It might make more sense to label it auth_cache_t, though it looks like you'll need to add perms to newrole.
> I'm able to address the issues with the following rules:
>
> # Note that these rules would be applied in the sudo interface to support all sudo types
> create_files_pattern( sysadm_sudo_t, faillog_t, faillog_t )
> setattr_files_pattern( sysadm_sudo_t, faillog_t, faillog_t )
> allow sysadm_sudo_t_t self:capability:chown;
>
> create_files_pattern( newrole_t, faillog_t, faillog_t )
> setattr_files_pattern( newrole_t, faillog_t, faillog_t )
> allow newrole_t self:capability:chown;
>
> Is this the correct solution? Or should a transition be happening when faillock executes?
Is there an exec() to transition on? Pam modules are shared libraries that are dlopened into the process, so there's typically no exec().
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2013-04-26 11:56 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-25 21:35 SELinux errors with pam_faillock Andy Ruch
2013-04-26 11:56 ` Christopher J. PeBenito [this message]
2013-04-26 14:54 ` Andy Ruch
2013-04-26 15:16 ` Chad Hanson
2013-04-26 19:46 ` Andy Ruch
2013-04-26 23:06 ` Chad Hanson
2013-05-06 18:13 ` Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=517A6B7D.7020202@tresys.com \
--to=cpebenito@tresys.com \
--cc=adruch2002@yahoo.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.