SELinux errors with pam_faillock

SELinux errors with pam_faillock

[Andy Ruch]

[-- Attachment #1: Type: text/plain, Size: 1452 bytes --]

Hello,

I'm receiving some SELinux errors related to the pam_faillock module. I'm running RHEL 6.3 with a custom policy based on the reference policy. 


When a user enters an incorrect password, the pam faillock module will track it with a file in /var/run/faillock/<user>. This is being applied whenever the user enters their password (i.e. console login, newrole, sudo). Everything works appropriately for the console login. For newrole and sudo, I'm getting errors when the /var/run/faillock/<user> file is trying to be created. Basically, newrole_t and <role>_sudo_t don't have permission to create files in a faillog_t dir. 


I found a rule in 'selinuxutil.te' allowing newrole_t to read/write to faillog: "auth_rw_faillog(newrole_t)". However, this rule only allows writing if the file already exists. It doesn't address if the faillock file needs to be created. 


I'm able to address the issues with the following rules:

# Note that these rules would be applied in the sudo interface to support all sudo types

create_files_pattern( sysadm_sudo_t, faillog_t, faillog_t )
setattr_files_pattern( sysadm_sudo_t, faillog_t, faillog_t )allow sysadm_sudo_t_t self:capability:chown;


create_files_pattern( newrole_t, faillog_t, faillog_t )
setattr_files_pattern( newrole_t, faillog_t, faillog_t )
allow newrole_t self:capability:chown;

Is this the correct solution? Or should a transition be happening when faillock executes?


Thanks,
Andy Ruch

[-- Attachment #2: Type: text/html, Size: 4696 bytes --]

Re: SELinux errors with pam_faillock

[Christopher J. PeBenito]

On 04/25/13 17:35, Andy Ruch wrote:
> I'm receiving some SELinux errors related to the pam_faillock module. I'm running RHEL 6.3 with a custom policy based on the reference policy.
> 
> When a user enters an incorrect password, the pam faillock module will track it with a file in /var/run/faillock/<user>. This is being applied whenever the user enters their password (i.e. console login, newrole, sudo). Everything works appropriately for the console login. For newrole and sudo, I'm getting errors when the /var/run/faillock/<user> file is trying to be created. Basically, newrole_t and <role>_sudo_t don't have permission to create files in a faillog_t dir.
> 
> I found a rule in 'selinuxutil.te' allowing newrole_t to read/write to faillog: "auth_rw_faillog(newrole_t)". However, this rule only allows writing if the file already exists. It doesn't address if the faillock file needs to be created.

faillog_t was really only oriented towards /var/log/faillog only.  It might make more sense to label it auth_cache_t, though it looks like you'll need to add perms to newrole.

> I'm able to address the issues with the following rules:
> 
> # Note that these rules would be applied in the sudo interface to support all sudo types
> create_files_pattern( sysadm_sudo_t, faillog_t, faillog_t )
> setattr_files_pattern( sysadm_sudo_t, faillog_t, faillog_t )
> allow sysadm_sudo_t_t self:capability:chown;
> 
> create_files_pattern( newrole_t, faillog_t, faillog_t )
> setattr_files_pattern( newrole_t, faillog_t, faillog_t )
> allow newrole_t self:capability:chown;
> 
> Is this the correct solution? Or should a transition be happening when faillock executes?

Is there an exec() to transition on?  Pam modules are shared libraries that are dlopened into the process, so there's typically no exec().

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux errors with pam_faillock

[Andy Ruch]

>________________________________
> From: Christopher J. PeBenito <cpebenito@tresys.com>
>To: Andy Ruch <adruch2002@yahoo.com> 
>Cc: SELinux ML <selinux@tycho.nsa.gov> 
>Sent: Friday, April 26, 2013 5:56 AM
>Subject: Re: SELinux errors with pam_faillock
> 
>
>On 04/25/13 17:35, Andy Ruch wrote:
>> I'm receiving some SELinux errors related to the pam_faillock module. I'm running RHEL 6.3 with a custom policy based on the reference policy.
>> 
>> When a user enters an incorrect password, the pam faillock module will track it with a file in /var/run/faillock/<user>. This is being applied whenever the user enters their password (i.e. console login, newrole, sudo). Everything works appropriately for the console login. For newrole and sudo, I'm getting errors when the /var/run/faillock/<user> file is trying to be created. Basically, newrole_t and <role>_sudo_t don't have permission to create files in a faillog_t dir.
>> 
>> I found a rule in 'selinuxutil.te' allowing newrole_t to read/write to faillog: "auth_rw_faillog(newrole_t)". However, this rule only allows writing if the file already exists. It doesn't address if the faillock file needs to be created.
>
>faillog_t was really only oriented towards /var/log/faillog only.  It might make more sense to label it auth_cache_t, though it looks like you'll need to add perms to newrole.


This was how it was defined in the reference policy, but it seems to make sense to change it.

>
>> I'm able to address the issues with the following rules:
>> 
>> # Note that these rules would be applied in the sudo interface to support all sudo types
>> create_files_pattern( sysadm_sudo_t, faillog_t, faillog_t )
>> setattr_files_pattern( sysadm_sudo_t, faillog_t, faillog_t )
>> allow sysadm_sudo_t_t self:capability:chown;
>> 
>> create_files_pattern( newrole_t, faillog_t, faillog_t )
>> setattr_files_pattern( newrole_t, faillog_t, faillog_t )
>> allow newrole_t self:capability:chown;
>> 
>> Is this the correct solution? Or should a transition be happening when faillock executes?
>
>Is there an exec() to transition on?  Pam modules are shared libraries that are dlopened into the process, so there's typically no exec().

I'm sure you're right. I'm somewhat new to SELinux so I wasn't sure if there was something else I was missing. Primarily, I wasn't sure if it was appropriate to grant create/write permissions for these faillock files to the sudo type for a role. 


>
>-- 
>Chris PeBenito
>Tresys Technology, LLC
>www.tresys.com | oss.tresys.com
>
>--
>This message was distributed to subscribers of the selinux mailing list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>the words "unsubscribe selinux" without quotes as the message.
>
>
>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux errors with pam_faillock

[Chad Hanson]

I think the bigger issue with your question on sudo and newrole is
what have you done to get into the system without already creating
faillog files for the current user. Both sudo and newrole are only
authenticating the existing user. There is a problem in su.if that it
needs manage instead of rw since you are changing to a different user
which may not yet have a faillog entry as I would understand this
process. Also, there is also a missing block to read the cracklib
dictionaries in the sudo.if file.

On Fri, Apr 26, 2013 at 10:54 AM, Andy Ruch <adruch2002@yahoo.com> wrote:
>
>
>>________________________________
>> From: Christopher J. PeBenito <cpebenito@tresys.com>
>>To: Andy Ruch <adruch2002@yahoo.com>
>>Cc: SELinux ML <selinux@tycho.nsa.gov>
>>Sent: Friday, April 26, 2013 5:56 AM
>>Subject: Re: SELinux errors with pam_faillock
>>
>>
>>On 04/25/13 17:35, Andy Ruch wrote:
>>> I'm receiving some SELinux errors related to the pam_faillock module. I'm running RHEL 6.3 with a custom policy based on the reference policy.
>>>
>>> When a user enters an incorrect password, the pam faillock module will track it with a file in /var/run/faillock/<user>. This is being applied whenever the user enters their password (i.e. console login, newrole, sudo). Everything works appropriately for the console login. For newrole and sudo, I'm getting errors when the /var/run/faillock/<user> file is trying to be created. Basically, newrole_t and <role>_sudo_t don't have permission to create files in a faillog_t dir.
>>>
>>> I found a rule in 'selinuxutil.te' allowing newrole_t to read/write to faillog: "auth_rw_faillog(newrole_t)". However, this rule only allows writing if the file already exists. It doesn't address if the faillock file needs to be created.
>>
>>faillog_t was really only oriented towards /var/log/faillog only.  It might make more sense to label it auth_cache_t, though it looks like you'll need to add perms to newrole.
>
>
> This was how it was defined in the reference policy, but it seems to make sense to change it.
>
>>
>>> I'm able to address the issues with the following rules:
>>>
>>> # Note that these rules would be applied in the sudo interface to support all sudo types
>>> create_files_pattern( sysadm_sudo_t, faillog_t, faillog_t )
>>> setattr_files_pattern( sysadm_sudo_t, faillog_t, faillog_t )
>>> allow sysadm_sudo_t_t self:capability:chown;
>>>
>>> create_files_pattern( newrole_t, faillog_t, faillog_t )
>>> setattr_files_pattern( newrole_t, faillog_t, faillog_t )
>>> allow newrole_t self:capability:chown;
>>>
>>> Is this the correct solution? Or should a transition be happening when faillock executes?
>>
>>Is there an exec() to transition on?  Pam modules are shared libraries that are dlopened into the process, so there's typically no exec().
>
> I'm sure you're right. I'm somewhat new to SELinux so I wasn't sure if there was something else I was missing. Primarily, I wasn't sure if it was appropriate to grant create/write permissions for these faillock files to the sudo type for a role.
>
>
>>
>>--
>>Chris PeBenito
>>Tresys Technology, LLC
>>www.tresys.com | oss.tresys.com
>>
>>--
>>This message was distributed to subscribers of the selinux mailing list.
>>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>>the words "unsubscribe selinux" without quotes as the message.
>>
>>
>>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux errors with pam_faillock

[Andy Ruch]

----- Original Message -----
> From: Chad Hanson <dahchanson@gmail.com>
> To: Andy Ruch <adruch2002@yahoo.com>
> Cc: Christopher J. PeBenito <cpebenito@tresys.com>; SELinux ML <selinux@tycho.nsa.gov>
> Sent: Friday, April 26, 2013 9:16 AM
> Subject: Re: SELinux errors with pam_faillock
> 
> I think the bigger issue with your question on sudo and newrole is
> what have you done to get into the system without already creating
> faillog files for the current user. Both sudo and newrole are only
> authenticating the existing user. There is a problem in su.if that it
> needs manage instead of rw since you are changing to a different user
> which may not yet have a faillog entry as I would understand this
> process. Also, there is also a missing block to read the cracklib
> dictionaries in the sudo.if file.
> 

To my knowledge, the files in /var/run/faillock are created when an error (wrong password) occurs during user authentication, not when the user logs in. Are you saying the files should always be created, even on logon?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux errors with pam_faillock

[Chad Hanson]

I would expect this to be case from reading the pam_faillock man page.
On successful attempts you clear file of any errors. I would assume
this would make the file if it doesn't exist. That seems to be the
case in my testing. This would be the only reason why some policy
modules have auth_manage_faillog vs auth_rw_faillog.  That interface
doesn't look to be run refpolicy yet, but is in policy-F13.patch in
RHEL 6. You are definitely correct that there needs to be policy for
the files to get created by someone.

On Fri, Apr 26, 2013 at 3:46 PM, Andy Ruch <adruch2002@yahoo.com> wrote:
>
>
>
>
> ----- Original Message -----
>> From: Chad Hanson <dahchanson@gmail.com>
>> To: Andy Ruch <adruch2002@yahoo.com>
>> Cc: Christopher J. PeBenito <cpebenito@tresys.com>; SELinux ML <selinux@tycho.nsa.gov>
>> Sent: Friday, April 26, 2013 9:16 AM
>> Subject: Re: SELinux errors with pam_faillock
>>
>> I think the bigger issue with your question on sudo and newrole is
>> what have you done to get into the system without already creating
>> faillog files for the current user. Both sudo and newrole are only
>> authenticating the existing user. There is a problem in su.if that it
>> needs manage instead of rw since you are changing to a different user
>> which may not yet have a faillog entry as I would understand this
>> process. Also, there is also a missing block to read the cracklib
>> dictionaries in the sudo.if file.
>>
>
> To my knowledge, the files in /var/run/faillock are created when an error (wrong password) occurs during user authentication, not when the user logs in. Are you saying the files should always be created, even on logon?
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: SELinux errors with pam_faillock

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/25/2013 05:35 PM, Andy Ruch wrote:
> Hello,
> 
> I'm receiving some SELinux errors related to the pam_faillock module. I'm 
> running RHEL 6.3 with a custom policy based on the reference policy.
> 
> When a user enters an incorrect password, the pam faillock module will
> track it with a file in /var/run/faillock/<user>. This is being applied
> whenever the user enters their password (i.e. console login, newrole,
> sudo). Everything works appropriately for the console login. For newrole
> and sudo, I'm getting errors when the /var/run/faillock/<user> file is
> trying to be created. Basically, newrole_t and <role>_sudo_t don't have
> permission to create files in a faillog_t dir.
> 
> I found a rule in 'selinuxutil.te' allowing newrole_t to read/write to
> faillog: "auth_rw_faillog(newrole_t)". However, this rule only allows
> writing if the file already exists. It doesn't address if the faillock file
> needs to be created.
> 
> I'm able to address the issues with the following rules:
> 
> # Note that these rules would be applied in the sudo interface to support
> all sudo types create_files_pattern( sysadm_sudo_t, faillog_t, faillog_t ) 
> setattr_files_pattern( sysadm_sudo_t, faillog_t, faillog_t ) allow
> sysadm_sudo_t_t self:capability:chown;
> 
> create_files_pattern( newrole_t, faillog_t, faillog_t ) 
> setattr_files_pattern( newrole_t, faillog_t, faillog_t ) allow newrole_t
> self:capability:chown;
> 
> Is this the correct solution? Or should a transition be happening when
> faillock executes?
> 
> Thanks, Andy Ruch
We don't have these rules in policy either.

I would add

auth_manage_faillog(sysadm_sudo_t)
auth_manage_faillog(newrole_t)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlGH8scACgkQrlYvE4MpobMPPQCfQWcTrvlU8zeaW+Zzvx2wG2rC
CtkAn3kapX0n0p6bwJR/7G57JSeG7Yh5
=6NjD
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.