Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-82090

New policy to allow RHCS using cracklib-check

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • rhel-10.1
    • None
    • selinux-policy
    • None
    • selinux-policy-40.13.33-1.el10
    • None
    • Low
    • rhel-security-selinux
    • ssg_security
    • 1
    • 16
    • 2
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • SELINUX 250625: 8
    • Release Note Not Required
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      Goal

      • Allow to use cracklib-check from RHCS to verify some user provided password
        • For example: When a There is a customer request to enforce user provided passwords during certificate request in RHCS. The enforce can check with cracklib getting error

      Acceptance criteria

      A list of verification conditions, successful functional tests, or expected outcomes in order to declare this story/task successfully completed.

      • The following operation should be allowed.
      [root@pki ~]# ausearch -m avc,user_avc,selinux_err -ts 03/04/2025 06:16:50
----
time->Tue Mar  4 06:16:53 2025
type=PROCTITLE msg=audit(1741087013.728:884): proctitle="/usr/sbin/cracklib-check"
type=PATH msg=audit(1741087013.728:884): item=0 name="/lib64/ld-linux-x86-64.so.2" inode=10075 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1741087013.728:884): cwd="/usr/share/tomcat"
type=EXECVE msg=audit(1741087013.728:884): argc=1 a0="/usr/sbin/cracklib-check"
type=SYSCALL msg=audit(1741087013.728:884): arch=c000003e syscall=59 success=yes exit=0 a0=557f85ff32a0 a1=557f85ff3300 a2=7ffd3c5a3008 a3=7fda9fbd4e80 items=1 ppid=33812 pid=34056 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="cracklib-check" exe="/usr/sbin/cracklib-check" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1741087013.728:884): avc:  denied  { map } for  pid=34056 comm="cracklib-check" path="/usr/sbin/cracklib-check" dev="vda1" ino=558735 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:crack_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1741087013.728:884): avc:  denied  { execute_no_trans } for  pid=34056 comm="jspawnhelper" path="/usr/sbin/cracklib-check" dev="vda1" ino=558735 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:crack_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1741087013.728:884): avc:  denied  { read open } for  pid=34056 comm="jspawnhelper" path="/usr/sbin/cracklib-check" dev="vda1" ino=558735 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:crack_exec_t:s0 tclass=file permissive=1
type=AVC msg=audit(1741087013.728:884): avc:  denied  { execute } for  pid=34056 comm="jspawnhelper" name="cracklib-check" dev="vda1" ino=558735 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:crack_exec_t:s0 tclass=file permissive=1
----
time->Tue Mar  4 06:16:53 2025
type=PROCTITLE msg=audit(1741087013.729:885): proctitle="/usr/sbin/cracklib-check"
type=PATH msg=audit(1741087013.729:885): item=0 name="/usr/share/cracklib/pw_dict.pwd" inode=6168980 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:crack_db_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1741087013.729:885): cwd="/usr/share/tomcat"
type=SYSCALL msg=audit(1741087013.729:885): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7fff5d78cc70 a2=0 a3=0 items=1 ppid=33812 pid=34056 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="cracklib-check" exe="/usr/sbin/cracklib-check" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1741087013.729:885): avc:  denied  { open } for  pid=34056 comm="cracklib-check" path="/usr/share/cracklib/pw_dict.pwd" dev="vda1" ino=6168980 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(1741087013.729:885): avc:  denied  { read } for  pid=34056 comm="cracklib-check" name="pw_dict.pwd" dev="vda1" ino=6168980 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1
type=AVC msg=audit(1741087013.729:885): avc:  denied  { search } for  pid=34056 comm="cracklib-check" name="cracklib" dev="vda1" ino=6168893 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=1
----
time->Tue Mar  4 06:16:53 2025
type=PROCTITLE msg=audit(1741087013.729:886): proctitle="/usr/sbin/cracklib-check"
type=SYSCALL msg=audit(1741087013.729:886): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7fff5d78bac0 a2=7fff5d78bac0 a3=0 items=0 ppid=33812 pid=34056 auid=4294967295 uid=17 gid=17 euid=17 suid=17 fsuid=17 egid=17 sgid=17 fsgid=17 tty=(none) ses=4294967295 comm="cracklib-check" exe="/usr/sbin/cracklib-check" subj=system_u:system_r:tomcat_t:s0 key=(null)
type=AVC msg=audit(1741087013.729:886): avc:  denied  { getattr } for  pid=34056 comm="cracklib-check" path="/usr/share/cracklib/pw_dict.pwi" dev="vda1" ino=6168981 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=file permissive=1

        1. tomcat_domtrans_crack.pp
          80 kB

              rhn-support-zpytela Zdenek Pytela
              rh-ee-mfargett Marco Fargetta
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: