Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-77745

SELinux policy, preventing PAM stack execution when login executes.

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • selinux-policy-38.1.57-1.el9
    • No
    • Important
    • Patch
    • 1
    • rhel-security-selinux
    • ssg_security
    • 15
    • 2
    • QE ack
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • SELINUX 250604: 7
    • Release Note Not Required
    • All
    • None

      Q. What were you trying to do that didn't work?
      ===> After setting the nofile limit for the root or any other user to unlimited, that particular user is unable to login with Selinux in Enforcing mode. 

      Q. What is the impact of this issue to you?
      =====> Unable to login. 

       

      Please provide the package NVR for which the bug is seen:
      ===>
      selinux-policy-38.1.45-3.el9_5.noarch
      selinux-policy-targeted-38.1.45-3.el9_5.noarch  

       

      Q. How reproducible is this bug?:
      ===> Everytime after setting the nofile unlimit to unlimited. 

       

      Steps to reproduce:
      -----------------------

      [1] Set the nofile unlimit to unlimited and try to login. Login will fails with Permission denied error. Selinux generates the following logs. Below are the logs from my test VM.
      ----------------
      Feb  4 11:44:30 rhel9 setroubleshoot[1542]: SELinux is preventing /usr/bin/login from getattr access on the file /proc/sys/fs/nr_open. For complete SELinux messages run: sealert -l 2afa1d9e-6626-41a8-97bd-0b319972fb3b
      Feb  4 11:44:30 rhel9 setroubleshoot[1542]: SELinux is preventing /usr/bin/login from getattr access on the file /proc/sys/fs/nr_open.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that login should be allowed getattr access on the nr_open file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'login' --raw | audit2allow -M my-login#012# semodule -X 300 -i my-login.pp#012
      ----------------

      Upon stracing the agetty process found error reading the current acceptable value ("unlimited" cannot be used as argument to prlimit64(RLIMIT_NOFILE)):
      --------------
      67114 [system_u:system_r:local_login_t:s0-s0:c0.c1023] 13:13:44.653524 read(3</etc/security/limits.d/99-maxlogins.conf> [unconfined_u:object_r:etc_t:s0!!system_u:object_r:etc_t:s0], "# Added 20230310 to allow remote syncer account\n# from the labnet server to start all rsync jobs\n# at once instead of having to stagger the times\n# in cron. Ensure MaxSessions and MaxStartups is\n# set correctly in sshd_config for everything to\n# work corre"..., 4096) = 593 <0.000029>
      67114 [system_u:system_r:local_login_t:s0-s0:c0.c1023] 13:13:44.653795 openat(AT_FDCWD</>, "/proc/sys/fs/nr_open" [system_u:object_r:sysctl_fs_t:s0], O_RDONLY) = -1 EACCES (Permission denied) <0.000109>
      -----------------

      Here above the EACCES generates the AVC. The limits code tries to read the nr_open value for the system. This is what fails. If we compare it with SSHD strace, we see it works for SSHD. Example:
      --------------------

      1. grep -w ^1774 sshd.strace | grep -A4 /proc/sys/fs/nr_open
        1774  [sshd_t] 07:42:47.216659 openat(AT_FDCWD</>, "/proc/sys/fs/nr_open" [sysctl_fs_t], O_RDONLY) = 5</proc/sys/fs/nr_open> [sysctl_fs_t] <0.000024>
        1774  [sshd_t] 07:42:47.216755 fstat(5</proc/sys/fs/nr_open> [sysctl_fs_t], {st_dev=makedev(0, 0x14), st_ino=11773, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=1024, st_blocks=0, st_size=0, st_atime=1738564803 /* 2025-02-03T07:40:03.371000000+0100 /, st_atime_nsec=371000000, st_mtime=1738564803 / 2025-02-03T07:40:03.371000000+0100 /, st_mtime_nsec=371000000, st_ctime=1738564803 / 2025-02-03T07:40:03.371000000+0100 */, st_ctime_nsec=371000000}) = 0 <0.000005>
        1774  [sshd_t] 07:42:47.216785 read(5</proc/sys/fs/nr_open> [sysctl_fs_t], "1073741816\n", 1024) = 11 <0.000007>
        1774  [sshd_t] 07:42:47.216809 close(5</proc/sys/fs/nr_open> [sysctl_fs_t]) = 0 <0.000006>
        1774  [sshd_t] 07:42:47.216831 read(3</etc/security/limits.d/99-nofile.conf> [etc_t], "", 4096) = 0 <0.000005>
        1774  [sshd_t] 07:42:47.216852 close(3</etc/security/limits.d/99-nofile.conf> [etc_t]) = 0 <0.000005>
        1774  [sshd_t] 07:42:47.216874 prlimit64(0, RLIMIT_NOFILE, {rlim_cur=1024, rlim_max=1073741816}, NULL) = 0 <0.000006>
        1774  [sshd_t] 07:42:47.216894 setpriority(PRIO_PROCESS, 0, 0) = 0 <0.000006>
        ----------------------

      Here above, for sshd the limit is read from the system, then applies using prlimit64(RLIMIT_NOFILE).

      Expected results
      ==> user should be able to login with Selinux enforcing. 

      Actual results:
      ===> Currently, Selinux is blocking the login. 

              rhn-support-zpytela Zdenek Pytela
              rhn-support-abjoshi Abhijeet Joshi
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated: