Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-2606

selinux denial on wtmp log file - when user runs sudo su as a confined user

XMLWordPrintable

    • selinux-policy-3.14.3-137.el8
    • None
    • Medium
    • sst_security_selinux
    • ssg_security
    • 26
    • None
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • None
    • Hide

      REPRODUCER
      ~~~~~~~~~~~
      1- Setup the sudo configuration by adding the following line to sudoers file.
      %wheel ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t ALL

      2- Setup wtmp updates with the following line in /etc/pam.d/postlogin
      session required pam_lastlog.so showfailed

      3- Create user and give it password and make sudoable

      1. useradd confineduser
      2. passwd confineduser
      3. usermod -aG wheel confineduser

      4- Make user confined to staff_u

      1. semanage login -a -s staff_u confineduser

      5- login as confined user and sudo su

      1. ssh confineduser@localhost
      2. sudo su

      6- Check for AVC

      1. ausearch -i -m avc -o wtmp_t

      The result is an AVC and also a failure to update the log with the login information. The expectation is that the file will be opened with O_APPEND so that security logs will be written without compromise.

      Show
      REPRODUCER ~~~~~~~~~~~ 1- Setup the sudo configuration by adding the following line to sudoers file. %wheel ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t ALL 2- Setup wtmp updates with the following line in /etc/pam.d/postlogin session required pam_lastlog.so showfailed 3- Create user and give it password and make sudoable useradd confineduser passwd confineduser usermod -aG wheel confineduser 4- Make user confined to staff_u semanage login -a -s staff_u confineduser 5- login as confined user and sudo su ssh confineduser@localhost sudo su 6- Check for AVC ausearch -i -m avc -o wtmp_t The result is an AVC and also a failure to update the log with the login information. The expectation is that the file will be opened with O_APPEND so that security logs will be written without compromise.
    • Pass
    • Automated
    • Release Note Not Required
    • None

      ISSUE DESCRIPTION
      When customer has "postlogin" configuration to update wtmp log file, and then a sysadm confined user runs su command, It results in an AVS (selinux) denial and fails to write to the log.

      I'm opening this bug for "pam" because the selinux policy is working as expected by blocking write access to the log file.

      This is easily reproducible, I will add exact reproducer steps below.

      DATA ANALYSIS
      ~~~~~~~~~~~~
      Here is the AVC denial. It's denying write access to /var/log/wtmp file by user with context of sysadm_su_t.
      ------------------------------------------------------------------------------------
      node=node1.cl.nc3.org type=PROCTITLE msg=audit(08/03/2023 14:56:22.350:256737) : proctitle=sesh /bin/su
      node=node1.cl.nc3.org type=PATH msg=audit(08/03/2023 14:56:22.350:256737) : item=0 name=/var/log/wtmp inode=25 dev=08:0a mode=file,664 ouid=root ogid=utmp rdev=00:00 obj=system_u:object_r:wtmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
      node=node1.cl.nc3.org type=CWD msg=audit(08/03/2023 14:56:22.350:256737) : cwd=/home/rlane
      node=node1.cl.nc3.org type=SYSCALL msg=audit(08/03/2023 14:56:22.350:256737) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x7fa86f9fea59 a2=O_WRONLY a3=0x0 items=1 ppid=44644 pid=44645 auid=rlane uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=su exe=/usr/bin/su subj=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 key=perm_access
      node=node1.cl.nc3.org type=AVC msg=audit(08/03/2023 14:56:22.350:256737) : avc: denied

      { write }

      for pid=44645 comm=su name=wtmp dev="sda10" ino=25 scontext=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023 tcontext=system_u:object_r:wtmp_t:s0 tclass=file permissive=0
      ------------------------------------------------------------------------------------

      Here is the corresponding selinux denial. Which shows write should not be allowed.
      ------------------------------------------------------------------------------------
      allow sysadm_su_t wtmp_t:file

      { append getattr ioctl lock open read }

      ;
      ------------------------------------------------------------------------------------

      Here is the syscall where the openat call is opening with Write capabilities.
      ------------------------------------------------------------------------------------
      openat(AT_FDCWD</home/confinedUser>, "/var/log/wtmp", O_WRONLY) = -1 EACCES (Permission denied)
      ------------------------------------------------------------------------------------

      For security purposes, this operation should only open the log file with append only option so that a compromised user login can't remove security logs.

      This is the Source code snips responsible for this.

      function=last_login_write from file=/usr/lib64/security/pam_lastlog.so
      triggers
      function=logwtmp from file=/usr/lib64/libutil-2.28.so
      triggers
      function=__libc_updwtmp from file=/usr/lib64/libc-2.28.so

      This is the source code for __libc_updwtmp.
      ------------------------------------------------------------------------------------
      460 int
      461 __libc_updwtmp (const char *file, const struct utmp *utmp)
      462 {
      463 int result = -1;
      464 off64_t offset;
      465 int fd;
      466
      467 /* Open WTMP file. */
      468 fd = __open_nocancel (file, O_WRONLY | O_LARGEFILE);
      ------------------------------------------------------------------------------------

      Line 468 is opening the file with O_WRONLY flag and not including the O_APPEND flag.

       

            rhn-support-zpytela Zdenek Pytela
            rhn-support-sgardner Steven Gardner
            Nikola Kňažeková Nikola Kňažeková (Inactive)
            Milos Malik Milos Malik
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: