Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 234781

Summary: [LSPP] incorrect information in pam_selinux audit record
Product: Red Hat Enterprise Linux 5 Reporter: Linda Knippers <linda.knippers>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0CC: iboverma, krisw, sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHSA-2007-0555 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-07 15:40:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Linda Knippers 2007-04-01 22:55:07 UTC
Description of problem:
When login is configured to use pam_selinux and a user attempts to log
in with a level that's not valid for the user, the audit record shows
that the login failed but doesn't give the right context information.

Version-Release number of selected component (if applicable):
pam-0.99.6.2-3.18.el5 from Steve's repo

How reproducible:
very

Steps to Reproduce:
1. Configure a system for lspp with login configured to use pam_selinux
2. Attempt to log in with a different context, choosing a level that isn't
allowed
3. compare the audit record with the information in /var/log/secure (debug)
The selected-context is the same as the default context, rather than what
the user actually selected.  
  
Actual results:
type=USER_ROLE_CHANGE msg=audit(1175466155.732:3890): user pid=3671 uid=0
auid=508 subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 msg='pam:
default-context=staff_u:sysadm_r:sysadm_t:s0
selected-context=staff_u:sysadm_r:sysadm_t:s0: exe="/bin/login" (hostname=?,
addr=?, terminal=pts/1 res=failed)'

Expected results:
In my test case, the selected context should have been s15 instead
of s0.


Additional info:
Here's the information from /var/log/secure that shows the selected
context.

Apr  1 18:22:35 scrod login: pam_selinux(login:session): Username= testuser
SELinux User = staff_u Level= s0
Apr  1 18:22:35 scrod login: pam_selinux(login:session): Would you like to enter
a different role or level? Y
Apr  1 18:22:35 scrod login: pam_selinux(login:session): role:
Apr  1 18:22:35 scrod login: pam_selinux(login:session): level: SystemHigh
Apr  1 18:22:35 scrod login: pam_selinux(login:session): Selected Security
Context staff_u:sysadm_r:sysadm_t:SystemHigh
Apr  1 18:22:35 scrod login: pam_selinux(login:session): Checking if
staff_u:sysadm_r:sysadm_t:SystemHigh mls range valid for 
staff_u:sysadm_r:sysadm_t:SystemLow
Apr  1 18:22:35 scrod login: pam_selinux(login:session): Security context
staff_u:sysadm_r:sysadm_t:SystemLow is not allowed for
staff_u:sysadm_r:sysadm_t:SystemHigh
Apr  1 18:22:35 scrod login: pam_selinux(login:session): Unable to get valid
context for testuser
Apr  1 18:22:35 scrod login: pam_namespace(login:session): open_session - start

Comment 1 RHEL Product and Program Management 2007-04-02 07:23:24 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 2 Linda Knippers 2007-04-02 13:21:53 UTC
According to our LSPP evaluator, this bug does not block the evaluation.
It would be nice if it was fixed though.

Comment 3 George C. Wilson 2007-04-02 20:28:27 UTC
Not necessary for LSPP but good to fix.

Comment 5 Tomas Mraz 2007-04-03 16:33:27 UTC
pam-0.99.6.2-19.el5 should improve this.


Comment 6 Linda Knippers 2007-04-03 17:14:11 UTC
I retested with pam-0.99.6.2-19.el5 and it seems to solve the problem.
Thanks.

Comment 10 errata-xmlrpc 2007-11-07 15:40:30 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0555.html