Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1680961 - pam_selinux - check whether undefined object classes or permissions are allowed or denied in the current policy
Summary: pam_selinux - check whether undefined object classes or permissions are allow...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pam
Version: 31
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Iker Pedrosa
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: sync-to-jira2
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-25 15:16 UTC by Petr Lautrbach
Modified: 2020-04-02 00:31 UTC (History)
9 users (show)

Fixed In Version: pam-1.3.1-24.fc32
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-02 00:31:13 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Petr Lautrbach 2019-02-25 15:16:54 UTC
Description of problem:

https://lore.kernel.org/selinux/819a099c-8d9d-5e07-7f3a-c7863254ce92@tycho.nsa.gov/T/#m9d2a65850abf5bfb2ea4baacd384055f66f6986c for a bigger perspective.

When an SElinux policy is being built, it can be set to allow or deny unknown classes and permissions. While Fedora defines "context" class, there are 3rd party policies like the one used in kernel/scripts/selinux which don't define this class but they are built with handle unknown set to allow.

pam_selinux directly calls string_to_security_class(), string_to_av_perm(), and  security_compute_av() instead of using selinux_check_access(), so it doesn't honor allow_unknown presently and mls_range_allowed() fails even when there's a policy with "allow" unknown classes.

Could be pam_selinux changed in order to check security_deny_unknown() and handle failures of string_to_security_class()/string_to_av_perm() accordingly? 

It should be just a matter of adding calls to
security_deny_unknown() in the error handling paths for both string_*() mapping
functions and returning success instead of failure if it returns 0.

Comment 1 Tomas Mraz 2019-02-26 08:31:58 UTC
What about the option of using selinux_check_access()? Wouldn't it be better? The patch would be slightly bigger but it would avoid adding unnecessary logic into the pam_selinux.

Comment 2 dac.override 2019-02-26 08:34:16 UTC
Thanks would be better, thanks

Comment 3 dac.override 2019-02-26 08:35:12 UTC
... at least, i think it would.

Comment 4 dac.override 2019-02-26 08:47:33 UTC
Stephen mentions overhead of an AVC as a possible reason not to use selinux_check_access(). If that overhead is negligible or otherwise not such a big deal, then I would prefer using selinux_check_access() as this might simplify the code and make it more robust.

Comment 5 Petr Lautrbach 2019-03-20 17:26:28 UTC
According to the code and my tests, there's approximately 32K memory overhead for libselinux userspace AVC  when selinux_check_access() is used. So if it doesn't matter, itseems to be better to use selinux_check_access() as it would simplify the code. I'll try to prepare a patch for that.

Comment 6 Ben Cotton 2019-08-13 17:08:44 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.

Comment 7 Ben Cotton 2019-08-13 19:30:55 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to 31.

Comment 8 Iker Pedrosa 2020-03-05 15:15:11 UTC
I think that I have a solution for this bug but I'd like to test it first. Could you please indicate me a simple way of testing happy and unhappy paths?

Comment 9 dac.override 2020-03-06 08:11:38 UTC
I am not sure if the following is considered simple, and if is even a conclusive test, but If you provide me with s scratch built then I can test it as well:

remove the "context {contains translate}" access vector and any references to it from the policy.
then, assuming "handle unknown" is set to allow, try to log in with ssh. If SSH blocks the login then it does not work. If SSH allows the login then it works.

To double check that this is really applicable, you can remove the "env_parans" option from the pam_selinux line in /etc/pam.d/sshd. That way SSH should log you in regardless because then pam_selinux does not hit the code that relies on this functionality

Comment 10 dac.override 2020-03-06 08:13:36 UTC
By the way, from what I have been told, the proper way to address this issue is to use the "selinux_check_access()" libselinux functionality in pam_selinux.

Comment 11 dac.override 2020-03-06 08:17:58 UTC
... So unless you've ported pam_selinux to use selinux_check_access(), i' am not sure if it is worth testing this iteration of yout solution.

Comment 12 dac.override 2020-03-06 08:25:00 UTC
selinux_check_access() is a function that help simplify things. It "automatically" address this issue (amongst other issues) The function is relatively new and so pam_selinux ideally should be updated to leverage this function.

Comment 13 Iker Pedrosa 2020-03-10 16:51:49 UTC
Here is the scratch build for the patch: https://koji.fedoraproject.org/koji/taskinfo?taskID=42382277

Comment 14 dac.override 2020-03-11 07:24:13 UTC
I would need something more modern, dont want to get into a downgrade rabit hole:

# rpm -Uvh pam-1.3.1-22.fc31.x86_64.rpm --force
error: Failed dependencies:
        pam >= 1.3.1-23 is needed by (installed) authselect-libs-1.2-1.fc33.x86_64

Comment 15 Iker Pedrosa 2020-03-11 10:24:16 UTC
No problem. I have created a new build for rawhide: https://koji.fedoraproject.org/koji/taskinfo?taskID=42403295

Comment 16 dac.override 2020-03-11 14:06:08 UTC
Thanks. From my perspective this works. It will now allow me to log in with sshd, with env_params, handle-unknown = allow, and with no context { contains }. So it handles unknown's properly now in my experience.

Comment 17 Iker Pedrosa 2020-03-11 15:16:27 UTC
* master
  c6c51832af8e7724cfbd454daa65a6644f5b45c2 -> pam_selinux: check unknown object classes or permissions in current policy

Comment 18 Petr Lautrbach 2020-03-12 20:09:37 UTC
With this patch login domains using pam requires create and bind permissions on netlabel_selinux_socket - https://bugzilla.redhat.com/show_bug.cgi?id=1813023#c6

It means that this package will need to be updated together with selinux-policy which will have builds available tomorrow (hopefully)

Comment 19 Petr Lautrbach 2020-03-12 20:11:15 UTC
Correction: netlink_selinux_socket

Comment 20 Gwyn Ciesla 2020-03-13 13:58:24 UTC
Just installed this on rawhide, ssh login is broken with SELinux enabled.

Comment 21 Iker Pedrosa 2020-03-13 14:04:26 UTC
Gwyn could you please specify what have you installed? Could you please try both pam and selinux-policy updates? https://bodhi.fedoraproject.org/updates/FEDORA-2020-d0986e01cd

Comment 22 Petr Lautrbach 2020-03-13 14:17:25 UTC
On Rawhide, you need to  update selinux-policy to selinux-policy-3.14.6-8.fc33 - https://koji.fedoraproject.org/koji/buildinfo?buildID=1477233

Comment 23 Gwyn Ciesla 2020-03-13 14:27:47 UTC
It's not yet available via dnf. Manual installation via koji works.

Comment 24 Fedora Update System 2020-03-13 18:33:23 UTC
pam-1.3.1-24.fc32, selinux-policy-3.14.5-30.fc32 has been pushed to the Fedora 32 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-d0986e01cd

Comment 25 Dominique Martinet 2020-03-15 16:53:24 UTC
Stumbled into this a couple of weeks later. It's good that there is a workaround but fedora 32 isn't out yet and this bug is tagged against fedora 31, a package bump there as well would be appreciated :)

Thanks!
-- 
Dominique

Comment 26 Tomas Mraz 2020-03-16 09:32:18 UTC
Because the fix requires changes in selinux-policy the decision is to fix it in F32 and Rawhide only.

Comment 27 Dominique Martinet 2020-03-16 09:38:49 UTC
Err? So you're just leaving everyone with F31 with non-working sshd?
Could a pam update be pushed that reverts the behaviour requiring the policy change instead maybe? It doesn't matter for users what fix is implemented but leaving things broken on F31 doesn't seem very considerate for users...

(note I just patched my policy locally so I don't really care for myself, but it took me ~10 minutes to understand what was going on because the ssh client error is anything but obvious...)

Comment 28 Zdenek Pytela 2020-03-16 09:46:29 UTC
Dominique,

the pam update seems to have been unpushed from the testing repo:
https://bodhi.fedoraproject.org/updates/FEDORA-2020-8c23cecdce

Comment 29 Petr Lautrbach 2020-03-16 09:48:15 UTC
https://bodhi.fedoraproject.org/updates/FEDORA-2020-8c23cecdce was unpushed and pam-1.3.1-22.fc31 should not be available anymore, please downgrade your pam package

# dnf info --enablerepo=updates-testing pam 

Installed Packages
Name         : pam
Version      : 1.3.1
Release      : 18.fc31
Architecture : x86_64
Size         : 2.7 M
Source       : pam-1.3.1-18.fc31.src.rpm
Repository   : @System
From repo    : anaconda
Summary      : An extensible library which provides authentication for applications
URL          : http://www.linux-pam.org/
License      : BSD and GPLv2+
Description  : PAM (Pluggable Authentication Modules) is a system security tool that
             : allows system administrators to set authentication policy without
             : having to recompile programs that handle authentication.

Available Packages
Name         : pam
Version      : 1.3.1
Release      : 21.fc31
Architecture : x86_64
Size         : 660 k
Source       : pam-1.3.1-21.fc31.src.rpm
Repository   : updates
Summary      : An extensible library which provides authentication for applications
URL          : http://www.linux-pam.org/
License      : BSD and GPLv2+
Description  : PAM (Pluggable Authentication Modules) is a system security tool that
             : allows system administrators to set authentication policy without
             : having to recompile programs that handle authentication.

Name         : pam
Version      : 1.3.1
Release      : 21.fc31
Architecture : i686
Size         : 681 k
Source       : pam-1.3.1-21.fc31.src.rpm
Repository   : updates
Summary      : An extensible library which provides authentication for applications
URL          : http://www.linux-pam.org/
License      : BSD and GPLv2+
Description  : PAM (Pluggable Authentication Modules) is a system security tool that
             : allows system administrators to set authentication policy without
             : having to recompile programs that handle authentication.

Comment 30 Dominique Martinet 2020-03-16 09:49:14 UTC
Ah, that makes sense then, thanks for the update. I should try distro-sync more often, I don't think there is any other way to notice things that get unpushed otherwise..

Cheers,
-- 
Dominique

Comment 31 Fedora Update System 2020-04-01 09:22:59 UTC
FEDORA-2020-d0986e01cd has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-d0986e01cd

Comment 32 Fedora Update System 2020-04-02 00:31:13 UTC
FEDORA-2020-d0986e01cd has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.