|Summary:||[LSPP] incorrect information in pam_selinux audit record|
|Product:||Red Hat Enterprise Linux 5||Reporter:||Linda Knippers <linda.knippers>|
|Component:||pam||Assignee:||Tomas Mraz <tmraz>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||5.0||CC:||iboverma, krisw, sgrubb|
|Fixed In Version:||RHSA-2007-0555||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2007-11-07 15:40:30 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Linda Knippers 2007-04-01 22:55:07 UTC
Description of problem: When login is configured to use pam_selinux and a user attempts to log in with a level that's not valid for the user, the audit record shows that the login failed but doesn't give the right context information. Version-Release number of selected component (if applicable): pam-0.99.6.2-3.18.el5 from Steve's repo How reproducible: very Steps to Reproduce: 1. Configure a system for lspp with login configured to use pam_selinux 2. Attempt to log in with a different context, choosing a level that isn't allowed 3. compare the audit record with the information in /var/log/secure (debug) The selected-context is the same as the default context, rather than what the user actually selected. Actual results: type=USER_ROLE_CHANGE msg=audit(1175466155.732:3890): user pid=3671 uid=0 auid=508 subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 msg='pam: default-context=staff_u:sysadm_r:sysadm_t:s0 selected-context=staff_u:sysadm_r:sysadm_t:s0: exe="/bin/login" (hostname=?, addr=?, terminal=pts/1 res=failed)' Expected results: In my test case, the selected context should have been s15 instead of s0. Additional info: Here's the information from /var/log/secure that shows the selected context. Apr 1 18:22:35 scrod login: pam_selinux(login:session): Username= testuser SELinux User = staff_u Level= s0 Apr 1 18:22:35 scrod login: pam_selinux(login:session): Would you like to enter a different role or level? Y Apr 1 18:22:35 scrod login: pam_selinux(login:session): role: Apr 1 18:22:35 scrod login: pam_selinux(login:session): level: SystemHigh Apr 1 18:22:35 scrod login: pam_selinux(login:session): Selected Security Context staff_u:sysadm_r:sysadm_t:SystemHigh Apr 1 18:22:35 scrod login: pam_selinux(login:session): Checking if staff_u:sysadm_r:sysadm_t:SystemHigh mls range valid for staff_u:sysadm_r:sysadm_t:SystemLow Apr 1 18:22:35 scrod login: pam_selinux(login:session): Security context staff_u:sysadm_r:sysadm_t:SystemLow is not allowed for staff_u:sysadm_r:sysadm_t:SystemHigh Apr 1 18:22:35 scrod login: pam_selinux(login:session): Unable to get valid context for testuser Apr 1 18:22:35 scrod login: pam_namespace(login:session): open_session - start
Comment 1 RHEL Product and Program Management 2007-04-02 07:23:24 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Comment 2 Linda Knippers 2007-04-02 13:21:53 UTC
According to our LSPP evaluator, this bug does not block the evaluation. It would be nice if it was fixed though.
Comment 3 George C. Wilson 2007-04-02 20:28:27 UTC
Not necessary for LSPP but good to fix.
Comment 5 Tomas Mraz 2007-04-03 16:33:27 UTC
pam-0.99.6.2-19.el5 should improve this.
Comment 6 Linda Knippers 2007-04-03 17:14:11 UTC
I retested with pam-0.99.6.2-19.el5 and it seems to solve the problem. Thanks.
Comment 10 errata-xmlrpc 2007-11-07 15:40:30 UTC
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0555.html