Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-16708

Confined user's sudo fails to authenticate with RSA PAM due to AVC

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • rhel-9.4
    • rhel-9.3.0
    • selinux-policy
    • None
    • selinux-policy-38.1.28-1.el9
    • None
    • Medium
    • sst_security_selinux
    • ssg_security
    • 16
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Red Hat Enterprise Linux
    • None
    • Hide

      The sudo command executed by confined users like sysadm_u or staff_u can search the /var/ace directory as required by a 3rd party PAM library.

      Show
      The sudo command executed by confined users like sysadm_u or staff_u can search the /var/ace directory as required by a 3rd party PAM library.
    • Pass
    • None
    • Hide
      Previously, selinux-policy did not allow sudo read files in the /var/auth directory.
      This is needed e.g. when there is the pam_securid module in the PAM stack to provide RSA authentication.
      With this update, the policy allows the access.
      Show
      Previously, selinux-policy did not allow sudo read files in the /var/auth directory. This is needed e.g. when there is the pam_securid module in the PAM stack to provide RSA authentication. With this update, the policy allows the access.
    • None

      What were you trying to do that didn't work?

      Some customers authenticate through 3rd party RSA solution, which ends up having a pam_securid.so library in PAM stack.

      When the user is confined to sysadm_u or staff_u, the user cannot sudo because of a permission issue on related /var/ace directory:

      1577224 [sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023] 09:44:34.606763 openat(AT_FDCWD</home/testuser>, "/var/ace/lib/64bit/libpamrest.so" [system_u:object_r:textrel_shlib_t:s0], O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied) <0.000080>

      The related AVC is hidden by default and relates to /var/ace, labeled with var_auth_t, to not be readable by sysadm_sudo_t (or staff_sudo_t):

      [root@vm-rhel9 ~]# sesearch -A -s sysadm_sudo_t -t var_auth_t -c dir -p search
--> no rule
[root@vm-rhel9 ~]# sesearch -A -s staff_sudo_t -t var_auth_t -c dir -p search
--> no rule

      Digging further, the context for /var/ace was changed from auth_cache_t to var_auth_t 12 years ago in Upstream policy:

      commit 0703a8c886eb47fe7b1124572e5cd2fab0249817
Author: Dan Walsh <dwalsh@redhat.com>
Date:   Fri Dec 2 14:03:03 2011 -0500

    Policy cleanup for upstream acceptance
---
 policy/modules/system/authlogin.fc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index a004698ad..a13830af9 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -31,8 +31,9 @@ ifdef(`distro_gentoo', `
 /usr/sbin/unix_chkpwd  --      gen_context(system_u:object_r:chkpwd_exec_t,s0)
 ')
 
+/var/ace(/.*)?                 gen_context(system_u:object_r:var_auth_t,s0)
+
 /var/cache/coolkey(/.*)?       gen_context(system_u:object_r:auth_cache_t,s0)
-/var/ace(/.*)?                 gen_context(system_u:object_r:auth_cache_t,s0)
 
 /var/db/shadow.*       --      gen_context(system_u:object_r:shadow_t,s0)

      auth_cache_t has the rules, but not var_auth_t, which is a bug:

      [root@vm-rhel9 ~]# sesearch -A -s sudodomain -t auth_cache_t -c dir -p search
allow auditadm_sudo_t auth_cache_t:dir { getattr open search };
allow dbadm_sudo_t auth_cache_t:dir { getattr open search };
allow secadm_sudo_t auth_cache_t:dir { getattr open search };
allow staff_sudo_t auth_cache_t:dir { getattr open search };
allow sysadm_sudo_t auth_cache_t:dir { getattr open search };

      The customer confirmed that missing rules are:

      allow sudodomain var_auth_t:dir { getattr open search };

      Please provide the package NVR for which bug is seen:

      selinux-policy All including Upstream

      How reproducible:

      Always with RSA authentication, cannot reproduce internally

            rhn-support-zpytela Zdenek Pytela
            rhn-support-rmetrich Renaud Métrich
            Nikola Kňažeková Nikola Kňažeková (Inactive)
            SSG Security QE SSG Security QE
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: