[Bug 582366] New: pam_selinux.so missing in /etc/pam.d/{login,gdm,xdm,sshd} in order for the correct login type/role
http://bugzilla.novell.com/show_bug.cgi?id=582366 http://bugzilla.novell.com/show_bug.cgi?id=582366#c0 Summary: pam_selinux.so missing in /etc/pam.d/{login,gdm,xdm,sshd} in order for the correct login type/role Classification: openSUSE Product: openSUSE 11.2 Version: Final Platform: All OS/Version: openSUSE 11.2 Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: justinmattock@gmail.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2b1) Gecko/20091114 Firefox/3.6b1 in order for an SELinux user to login to a correct type/role example:staff_t:staff_r:staff_r. /etc/pam.d/{login,xdm,gdm,(optional)sshd} need to have the entries pam_selinux.so open/close in them in order to have libpam properly do its thing. Reproducible: Always Steps to Reproduce: if using a binary policy one can check the login results by semanage login -l there one can choose which one they want(roles etc..) example: semanage login -a -s staff_u pebenito after logging in/out the user should be in there role which they chose: example: staff_u:staff_r:staff_t Actual Results: below are the three files login, gdm, and xdm which gets me into the proper role upon login: /etc/pam.d/* cat login #%PAM-1.0 auth requisite pam_nologin.so auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so auth include common-auth account include common-account password include common-password session required pam_selinux.so close session required pam_loginuid.so session include common-session session required pam_selinux.so open session required pam_lastlog.so nowtmp session optional pam_mail.so standard session optional pam_ck_connector.so cat gdm #%PAM-1.0 auth include common-auth account include common-account password include common-password session required pam_selinux.so close session required pam_loginuid.so session include common-session session required pam_selinux.so open cat xdm #%PAM-1.0 auth include common-auth account include common-account password include common-password session required pam_selinux.so close session required pam_loginuid.so session include common-session session required pam_selinux.so open as for sshd I have not added pam_selinux.so to that yet. if building the source with selinux support enabled the package does supply the correct selinux/pam modules. (pam_selinux.so) Expected Results: users should be able to login under the correct type/role. either sysadm_r,staff_r,user_r,unconfined_r etc... -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=582366 http://bugzilla.novell.com/show_bug.cgi?id=582366#c Thomas Biege <thomas@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|pam_selinux.so missing in |SELinux: pam_selinux.so |/etc/pam.d/{login,gdm,xdm,s |missing in |shd} in order for the |/etc/pam.d/{login,gdm,xdm,s |correct login type/role |shd} in order for the | |correct login type/role -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=582366 http://bugzilla.novell.com/show_bug.cgi?id=582366#c Thomas Biege <thomas@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC|thomas@novell.com |security-team@suse.de AssignedTo|security-team@suse.de |thomas@novell.com -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=582366 http://bugzilla.novell.com/show_bug.cgi?id=582366#c1 Pavol Rusnak <prusnak@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |alan@rouses.net, | |mc@novell.com, | |prusnak@novell.com --- Comment #1 from Pavol Rusnak <prusnak@novell.com> 2010-03-11 16:52:56 CET --- I think you have to call: pam-config -d --apparmor pam-config -a --selinux (first to disable apparmor, because it it not compatible with selinux. second to enable selinux in /etc/pam.d/* config files). Michael: Could you please confirm this? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=582366 http://bugzilla.novell.com/show_bug.cgi?id=582366#c2 --- Comment #2 from Michael Calmer <mc@novell.com> 2010-03-11 15:58:48 UTC --- Yes. For debugging you can simply call: $> pam-config -a --pam-debug which enables debug for all used pam modules which support a debug mode. Btw: I have no knowledge about selinux. So I think I cannot help a lot. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=582366 http://bugzilla.novell.com/show_bug.cgi?id=582366#c3 --- Comment #3 from Alan Rouse <alan@rouses.net> 2010-03-11 16:54:36 UTC --- To boot with selinux you enter the kernel boot parameters: "security=selinux selinux=1 enforcing=0" When you do that, apparmor is not started during boot (you get console messages to this effect) and selinux is started, and works. The problem is that if you use autologin we are currently not setting the selinux context correctly. If you do a manual login, it is set correctly. So my question is, how does automatic login work under OpenSUSE? Instead of /etc/pam.d/login, what alternative path is used for automatic login? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=582366 http://bugzilla.novell.com/show_bug.cgi?id=582366#c4 --- Comment #4 from Justin mattock <justinmattock@gmail.com> 2010-03-11 18:45:08 UTC --- ahh!! never knew this tool existed.. so when I run pam-config --selinux this automatically edits the pam.d/* files and adds pam_selinux.so (makes life easy). Ill give it a try. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=582366 http://bugzilla.novell.com/show_bug.cgi?id=582366#c5 --- Comment #5 from Justin mattock <justinmattock@gmail.com> 2010-03-11 19:45:15 UTC --- o.k. heres what I get: sudo /usr/sbin/pam-config -d --apparmor File /etc/pam.d/common-auth is no symlink to /etc/pam.d/common-auth-pc. New config from /etc/pam.d/common-auth-pc is is not in use! a simple: sudo ln -svf common-auth-pc common-auth fixes this for me, then running the above command,as well as the other gives no complaints. as for logging into the chosen role, this works(thanks!!). in regards to autologin I'm guessing must have been something with what I had instead of pam_selinux.so being in common-session created by pam-config. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=582366 http://bugzilla.novell.com/show_bug.cgi?id=582366#c Thomas Biege <thomas@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Security |Security Version|Final |Milestone 4 AssignedTo|thomas@novell.com |security-team@suse.de Product|openSUSE 11.2 |openSUSE 11.3 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=582366 http://bugzilla.novell.com/show_bug.cgi?id=582366#c Thomas Biege <thomas@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|security-team@suse.de |thomas@novell.com -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=582366 http://bugzilla.novell.com/show_bug.cgi?id=582366#c6 Thomas Biege <thomas@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #6 from Thomas Biege <thomas@novell.com> 2010-04-08 15:03:40 UTC --- done. fate#309275 will be in next milestone for 11.3 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=582366 http://bugzilla.novell.com/show_bug.cgi?id=582366#c7 --- Comment #7 from Justin mattock <justinmattock@gmail.com> 2010-04-08 17:27:19 UTC --- o.k. looks good. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com