fedora-selinux August 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: Create denial on nshadow when logging in wit

Re: Create denial on nshadow when logging in with an expired password

From: Dominick Grift <domg472_at_nospam>
Date: Fri Aug 20 2010 - 18:40:06 GMT
To: selinux@lists.fedoraproject.org

On 08/20/2010 08:31 PM, Patrice GILLET (Ingenico Partner) wrote:
> Hi everyone,
>
>
>
> I'm running selinux-policy-strict 2.4.6-279.el5_5.1 (Redhat), and I get
> a denial when a user logs on (via SSH) with an expired password. The
> procedure for getting the new password goes fine, but the update of
> shadow fails and the login is refused. The audit messages are the
> following:
>
>
>
> type=USER_AUTH msg=audit(1282326913.918:472): user pid=14136 uid=0
> auid=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM:
> authentication acct="testupgrader" : exe="/usr/sbin/sshd"
> (hostname=xx.xx.xx.xx, addr=xx.xx.xx.xx, terminal=ssh res=failed)'
>
> type=USER_LOGIN msg=audit(1282326913.918:473): user pid=14136 uid=0
> auid=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023
> msg='acct="testupgrader": exe="/usr/sbin/sshd" (hostname=?,
> addr=xx.xx.xx.xx, terminal=sshd res=failed)'
>
> type=USER_AUTH msg=audit(1282326917.387:474): user pid=14136 uid=0
> auid=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM:
> authentication acct="testupgrader" : exe="/usr/sbin/sshd"
> (hostname=xx.xx.xx.xx, addr=xx.xx.xx.xx, terminal=ssh res=success)'
>
> type=USER_ACCT msg=audit(1282326917.388:475): user pid=14136 uid=0
> auid=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM:
> accounting acct="testupgrader" : exe="/usr/sbin/sshd"
> (hostname=xx.xx.xx.xx, addr=xx.xx.xx.xx, terminal=ssh res=failed)'
>
> type=CRED_ACQ msg=audit(1282326917.393:476): user pid=14136 uid=0
> auid=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM:
> setcred acct="testupgrader" : exe="/usr/sbin/sshd"
> (hostname=xx.xx.xx.xx, addr=xx.xx.xx.xx, terminal=ssh res=success)'
>
> type=LOGIN msg=audit(1282326917.393:477): login pid=14136 uid=0 old
> auid=4294967295 new auid=508 old ses=4294967295 new ses=26
>
> type=USER_START msg=audit(1282326917.393:478): user pid=14136 uid=0
> auid=508 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: session
> open acct="testupgrader" : exe="/usr/sbin/sshd" (hostname=xx.xx.xx.xx,
> addr=xx.xx.xx.xx, terminal=ssh res=success)'
>
> type=CRED_REFR msg=audit(1282326917.394:479): user pid=14138 uid=0
> auid=508 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: setcred
> acct="testupgrader" : exe="/usr/sbin/sshd" (hostname=xx.xx.xx.xx,
> addr=xx.xx.xx.xx, terminal=ssh res=success)'
>
> type=USER_LOGIN msg=audit(1282326917.397:480): user pid=14136 uid=0
> auid=508 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='uid=508:
> exe="/usr/sbin/sshd" (hostname=xx.xx.xx.xx, addr=xx.xx.xx.xx,
> terminal=/dev/pts/7 res=success)'
>
> type=AVC msg=audit(1282326929.157:481): avc: denied { create } for
> pid=14139 comm="passwd" name="nshadow"
> scontext=e2ee_upgrader_u:e2ee_upgrader_r:e2ee_upgrader_t:s0
> tcontext=system_u:object_r:shadow_t:s0 tclass=file
>
> type=SYSCALL msg=audit(1282326929.157:481): arch=c000003e syscall=2
> success=no exit=-13 a0=2ad97d295a33 a1=241 a2=1b6 a3=241 items=0
> ppid=14138 pid=14139 auid=508 uid=508 gid=508 euid=0 suid=0 fsuid=0
> egid=508 sgid=508 fsgid=508 tty=pts7 ses=26 comm="passwd"
> exe="/usr/bin/passwd"
> subj=e2ee_upgrader_u:e2ee_upgrader_r:e2ee_upgrader_t:s0 key=(null)
>
> type=USER_CHAUTHTOK msg=audit(1282326931.330:482): user pid=14139
> uid=508 auid=508 subj=e2ee_upgrader_u:e2ee_upgrader_r:e2ee_upgrader_t:s0
> msg='PAM: chauthtok acct="testupgrader" : exe="/usr/bin/passwd"
> (hostname=?, addr=?, terminal=pts/7 res=failed)'
>
> type=USER_CHAUTHTOK msg=audit(1282326931.330:483): user pid=14139
> uid=508 auid=508 subj=e2ee_upgrader_u:e2ee_upgrader_r:e2ee_upgrader_t:s0
> msg='op=change password id=508 exe="/usr/bin/passwd" (hostname=?,
> addr=?, terminal=pts/7 res=failed)'
>
> type=CRED_DISP msg=audit(1282326931.332:484): user pid=14136 uid=0
> auid=508 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: setcred
> acct="testupgrader" : exe="/usr/sbin/sshd" (hostname=xx.xx.xx.xx,
> addr=xx.xx.xx.xx, terminal=ssh res=success)'
>
> type=USER_END msg=audit(1282326931.332:485): user pid=14136 uid=0
> auid=508 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='PAM: session
> close acct="testupgrader" : exe="/usr/sbin/sshd" (hostname=xx.xx.xx.xx,
> addr=xx.xx.xx.xx, terminal=ssh res=success)'
>
>
>
> Audit2allow suggests to add auth_manage_shadow(e2ee_upgrader_t) to the
> local policy, but that doesn't change anything. Neither does adding
> allow e2ee_upgrader_t shadow_t:file { create }.
>
>
>
> What is really strange is that the very same user (after its password
> has been changed by root) can run passwd and set its password without
> any problem.

There is a extra protection in place to prevent users from adding
potential dangerous rules like these.

try this:

mkdir ~/mysshd; cd ~/mysshd;
echo "policy_module(mysshd, 1.0.0)" > mysshd.te;
echo "gen_require(\`" >> mysshd.te;
echo "type sshd_t;" >> mysshd.te;
echo "')" >> mysshd.te;
echo "usermanage_domtrans_passwd(sshd_t)" >> mysshd.te;
echo "usermanage_read_crack_db(sshd_t)" >> mysshd.te;
sudo yum install selinux-policy-devel
make -f /usr/share/selinux/devel/Makefile mysshd.pp
sudo semodule -i mysshd.pp

>
>
> Any idea?
>
>
>
> Thanks in advance for any suggestion,
>
>
>
> Patrice.
>
>
>
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux