public inbox for gentoo-hardened@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-hardened] Help with su
@ 2011-11-26  3:32 Stan Sander
  2011-11-27  5:00 ` [gentoo-hardened] Re: Help with su (RESOLVED) Stan Sander
  0 siblings, 1 reply; 5+ messages in thread
From: Stan Sander @ 2011-11-26  3:32 UTC (permalink / raw
  To: gentoo-hardened

[-- Attachment #1: Type: text/plain, Size: 4583 bytes --]

One of the more important things that is currently broken on my system
when I switch on enforcing mode for SELinux is the su command.  Mostly
likely I've overlooked something so am asking here first before filing a
bug on it.  I did a search or two on google, but didn't find anything
that looked really useful (or current).  Here are some details.  I'll
start with the output from the terminal window:

siren /home/stan $su
Password:
Would you like to enter a security context? [N] 
su: Authentication failure

Here are the lines from my syslog:

Nov 25 19:23:58 siren su[3016]: Successful su for root by stan
Nov 25 19:23:58 siren su[3016]: + /dev/pts/1 stan:root
Nov 25 19:23:58 siren kernel: type=1400 audit(1322274238.237:826): avc: 
denied  { search } for  pid=3016 comm="su" name="root" dev=sda1
ino=4290561 scontext=stan:staff_r:staff_su_t
tcontext=root:object_r:user_home_dir_t tclass=dir
Nov 25 19:23:58 siren kernel: type=1400 audit(1322274238.240:827): avc: 
denied  { compute_user } for  pid=3016 comm="su"
scontext=stan:staff_r:staff_su_t tcontext=system_u:object_r:security_t
tclass=security
Nov 25 19:24:00 siren su[3016]: pam_selinux(su:session): Unable to get
valid context for root
Nov 25 19:24:00 siren pam_ssh[3016]: can't write to /root/.ssh/agent-siren
Nov 25 19:24:00 siren kernel: type=1400 audit(1322274240.440:828): avc: 
denied  { search } for  pid=3016 comm="su" name="root" dev=sda1
ino=4290561 scontext=stan:staff_r:staff_su_t
tcontext=root:object_r:user_home_dir_t tclass=dir
Nov 25 19:24:00 siren kernel: type=1400 audit(1322274240.440:829): avc: 
denied  { search } for  pid=3016 comm="su" name="root" dev=sda1
ino=4290561 scontext=stan:staff_r:staff_su_t
tcontext=root:object_r:user_home_dir_t tclass=dir
Nov 25 19:24:00 siren su[3016]: pam_unix(su:session): session opened for
user root by (uid=500)
Nov 25 19:24:00 siren su[3016]: pam_open_session: Authentication failure

Here is the /etc/pam.d/su file:

#%PAM-1.0

auth       sufficient   pam_rootok.so

# If you want to restrict users begin allowed to su even more,
# create /etc/security/suauth.allow (or to that matter) that is only
# writable by root, and add users that are allowed to su to that
# file, one per line.
#auth       required     pam_listfile.so item=ruser sense=allow
onerr=fail file=/etc/security/suauth.allow

# Uncomment this to allow users in the wheel group to su without
# entering a passwd.
#auth       sufficient   pam_wheel.so use_uid trust

# Alternatively to above, you can implement a list of users that do
# not need to supply a passwd with a list.
#auth       sufficient   pam_listfile.so item=ruser sense=allow
onerr=fail file=/etc/security/suauth.nopass

# Comment this to allow any user, even those not in the 'wheel'
# group to su
auth       required     pam_wheel.so use_uid
auth       required     pam_tally2.so deny=5 unlock_time=300 magic_root
auth       include              system-auth

account    required     pam_tally2.so
account    include              system-auth

password   include              system-auth

session         required        pam_selinux.so close
session    optional             pam_xauth.so
session         required        pam_selinux.so multiple open verbose
session    include              system-auth

And, here is the system-auth file:

auth            sufficient      pam_ldap.so use_first_pass
ignore_authinfo_unavail
auth            required        pam_unix.so try_first_pass likeauth 
 
account         sufficient      pam_ldap.so
account         required        pam_unix.so
 
password        required        pam_cracklib.so (****** specific
requrements masked ******)
password        sufficient      pam_ldap.so use_authtok
password        required        pam_unix.so use_authtok sha512 shadow
 
session         required        pam_limits.so
#session                required        pam_env.so
session         optional        pam_ssh.so
session         sufficient      pam_ldap.so
session         required        pam_unix.so

I tried adding the following rule to a local policy, but all that did
was make the avc denial for compute_user go away in the logs, everything
else was still the same including the message about unable to get valid
context for root:

selinux_compute_user_contexts(staff_su_t)

I also tried commenting out the pam_selinux.so close in the session, but
that didn't help.

-- 
Stan & HD Tashi Grad 10/08  Edgewood, NM  SWR
PR - Cindy and Jenny - Sammamish, WA  NWR
http://www.cci.org



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [gentoo-hardened] Re: Help with su  (RESOLVED)
  2011-11-26  3:32 [gentoo-hardened] Help with su Stan Sander
@ 2011-11-27  5:00 ` Stan Sander
  2011-11-27 17:38   ` Sven Vermeulen
  0 siblings, 1 reply; 5+ messages in thread
From: Stan Sander @ 2011-11-27  5:00 UTC (permalink / raw
  To: gentoo-hardened

[-- Attachment #1: Type: text/plain, Size: 1885 bytes --]

On 11/25/2011 08:32 PM, Stan Sander wrote:
> One of the more important things that is currently broken on my system
> when I switch on enforcing mode for SELinux is the su command.  Mostly
> likely I've overlooked something so am asking here first before filing a
> bug on it.  

After doing some more searching, reading, and educating of myself I have
been able to achieve the behavior I was wanting from the su command,
namely change my regular Linux uid to 0 and be able to launch graphical
programs if necessary when logged in to a desktop session.  What I
discovered leaves my SELinux user id set to the user I originally logged
in as, which from a security and accountability standpoint is not a bad
thing, but the role and type are updated so all the transitions needed
for the policy to function as intended can occur.  However, my Linux uid
is 0 so things that need that work.  Probably a simple concept for all
you seasoned SELinux folk, but wanted to document it here for the
benefit of others who may find this in the archives. 

My answer -- removing the calls to pam_selinux.so from the su file in
pam.d and also removing the calls to pam_xauth.so from the su and
newrole files.  These (xauth) generated avc denials when they couldn't
access root's home area at /root due to (I think) ubac constraints.  
The last step a very simple script I called sesu

#!/bin/bash
echo -n "X server:  "
xhost local:localhost
echo -n "Enter root "
su -c "echo -n \"Enter current user \" && newrole -r sysadm_r"

If your PAM config doesn't allow the current user to su, then they get
permission denied.
If SELinux doesn't allow the current user to transition to a sysadm_r
then you get a root shell, but with limited capability. 


-- 
Stan & HD Tashi Grad 10/08  Edgewood, NM  SWR
PR - Cindy and Jenny - Sammamish, WA  NWR
http://www.cci.org



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [gentoo-hardened] Re: Help with su  (RESOLVED)
  2011-11-27  5:00 ` [gentoo-hardened] Re: Help with su (RESOLVED) Stan Sander
@ 2011-11-27 17:38   ` Sven Vermeulen
  2011-11-27 19:48     ` Stan Sander
  0 siblings, 1 reply; 5+ messages in thread
From: Sven Vermeulen @ 2011-11-27 17:38 UTC (permalink / raw
  To: gentoo-hardened

On Sat, Nov 26, 2011 at 10:00:01PM -0700, Stan Sander wrote:
> After doing some more searching, reading, and educating of myself I have
> been able to achieve the behavior I was wanting from the su command,
> namely change my regular Linux uid to 0 and be able to launch graphical
> programs if necessary when logged in to a desktop session.  What I
> discovered leaves my SELinux user id set to the user I originally logged
> in as, which from a security and accountability standpoint is not a bad
> thing, but the role and type are updated so all the transitions needed
> for the policy to function as intended can occur.  However, my Linux uid
> is 0 so things that need that work.  Probably a simple concept for all
> you seasoned SELinux folk, but wanted to document it here for the
> benefit of others who may find this in the archives. 
> 
> My answer -- removing the calls to pam_selinux.so from the su file in
> pam.d and also removing the calls to pam_xauth.so from the su and
> newrole files.  These (xauth) generated avc denials when they couldn't
> access root's home area at /root due to (I think) ubac constraints.  
> The last step a very simple script I called sesu
> 
> #!/bin/bash
> echo -n "X server:  "
> xhost local:localhost
> echo -n "Enter root "
> su -c "echo -n \"Enter current user \" && newrole -r sysadm_r"
> 
> If your PAM config doesn't allow the current user to su, then they get
> permission denied.
> If SELinux doesn't allow the current user to transition to a sysadm_r
> then you get a root shell, but with limited capability. 

Hi Stan,

This isn't really the way it is meant to resolve. From your denials, I
gather that you were still running in staff_r role. You need to transition
to sysadm_r role first and then try to perform your administrative tasks.

Wkr,
	Sven Vermeulen



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [gentoo-hardened] Re: Help with su  (RESOLVED)
  2011-11-27 17:38   ` Sven Vermeulen
@ 2011-11-27 19:48     ` Stan Sander
  2011-11-28 18:11       ` Sven Vermeulen
  0 siblings, 1 reply; 5+ messages in thread
From: Stan Sander @ 2011-11-27 19:48 UTC (permalink / raw
  To: gentoo-hardened

[-- Attachment #1: Type: text/plain, Size: 935 bytes --]

On 11/27/2011 10:38 AM, Sven Vermeulen wrote:
>
> Hi Stan,
>
> This isn't really the way it is meant to resolve. From your denials, I
> gather that you were still running in staff_r role. You need to transition
> to sysadm_r role first and then try to perform your administrative tasks.
>
> Wkr,
> 	Sven Vermeulen
Sven,

Thanks for the tip.  I was running in staff_r when I got the denials.  I
thought I read somewhere that staff was allowed to su, so never thought
the difference of when I entered the newrole to be that significant. 
Anyway, I'll call newrole first but it still appears as though I need to
keep the calls to pam_selinux out of the su file as it fails when they
are in.  Also pam_xauth doesn't appear as though it's able to play with
selinux, at least not inside the su file. 

-- 
Stan & HD Tashi Grad 10/08  Edgewood, NM  SWR
PR - Cindy and Jenny - Sammamish, WA  NWR
http://www.cci.org



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [gentoo-hardened] Re: Help with su  (RESOLVED)
  2011-11-27 19:48     ` Stan Sander
@ 2011-11-28 18:11       ` Sven Vermeulen
  0 siblings, 0 replies; 5+ messages in thread
From: Sven Vermeulen @ 2011-11-28 18:11 UTC (permalink / raw
  To: gentoo-hardened

On Sun, Nov 27, 2011 at 12:48:14PM -0700, Stan Sander wrote:
> Thanks for the tip.  I was running in staff_r when I got the denials.  I
> thought I read somewhere that staff was allowed to su, so never thought
> the difference of when I entered the newrole to be that significant. 
> Anyway, I'll call newrole first but it still appears as though I need to
> keep the calls to pam_selinux out of the su file as it fails when they
> are in.  Also pam_xauth doesn't appear as though it's able to play with
> selinux, at least not inside the su file. 

Heh, my bad. There is no need to put pam_selinux for su in the first place.
At least, I don't have it on my systems. The only place where pam_selinux is
called is in the system-login definition for PAM (which is sourced by login,
slim and sshd PAM definitions).

Meh.

	Sven Vermeulen



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2011-11-28 18:13 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-11-26  3:32 [gentoo-hardened] Help with su Stan Sander
2011-11-27  5:00 ` [gentoo-hardened] Re: Help with su (RESOLVED) Stan Sander
2011-11-27 17:38   ` Sven Vermeulen
2011-11-27 19:48     ` Stan Sander
2011-11-28 18:11       ` Sven Vermeulen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox