Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-121158

pam_ssh_agent_auth requires additional SELinux rules for confined users

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • No
    • Low
    • 1
    • rhel-security-selinux
    • 2
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • SELINUX 260218: 18
    • None
    • None
    • Unspecified Release Note Type - Unknown
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      A customer is using pam_ssh_agent_auth to authenticate through sudo from a user confined to staff_u.
      With current policy, this doesn't work when issuing sudo from a graphical terminal (i.e. with having gnome-keyring as agent).
      The following AVCs pop up:

      allow staff_sudo_t gkeyringd_tmp_t:dir search;
allow staff_sudo_t gkeyringd_tmp_t:sock_file { getattr write };
allow staff_sudo_t staff_gkeyringd_t:unix_stream_socket connectto;

      What is the impact of this issue to you?

      Breaks sudo functionality

      Please provide the package NVR for which the bug is seen:

      sudo-1.9.5p2-10.el9_6.2
      selinux-policy-38.1.53-5.el9_6
      pam_ssh_agent_auth-0.10.4-5.45.el9

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Install pam_ssh_agent_auth and configure it 
        # yum -y install pam_ssh_agent_auth
# cat /etc/pam.d/sudo
#%PAM-1.0
auth       sufficient   pam_ssh_agent_auth.so file=~/.ssh/authorized_keys debug
auth       include      system-auth
[...]

# grep SSH_AUTH /etc/sudoers
Defaults    env_keep += "SSH_AUTH_SOCK"
      2. Login from the GUI as a user mapped to staff_u, generate SSH key and add it to authorized_keys and to keyring 
        $ ssh-keygen
$ cat .ssh/id_rsa.pub > .ssh/authorized_keys
$ ssh-add .ssh/id_rsa
      3. sudo root 
        $ sudo -i

        Expected results

        Sudo works

        Actual results

        Password requested anyway and hidden AVCs.
        There is also an AVC on "init_t" due to PAM failure apparently:

        type=PROCTITLE msg=audit(10/14/2025 11:07:28.878:688) : proctitle=sudo -i 
type=PATH msg=audit(10/14/2025 11:07:28.878:688) : item=0 name=/proc/1/cgroup nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(10/14/2025 11:07:28.878:688) : cwd=/home/rmetrich 
type=SYSCALL msg=audit(10/14/2025 11:07:28.878:688) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffffbc7f0f0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=3518 pid=3766 auid=rmetrich uid=rmetrich gid=rmetrich euid=root suid=root fsuid=root egid=rmetrich sgid=rmetrich fsgid=rmetrich tty=pts0 ses=3 comm=sudo exe=/usr/bin/sudo subj=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(10/14/2025 11:07:28.878:688) : avc:  denied  { search } for  pid=3766 comm=sudo name=1 dev="proc" ino=13215 scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dir permissive=0

              rhn-support-zpytela Zdenek Pytela
              rhn-support-rmetrich Renaud Métrich
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: