Re: [PATCH 2/2] pam_faillock creates files in /run/faillock

From: Dominick Grift <dac.override@gmail.com>
To: "Sugar, David" <dsugar@tresys.com>,
	"selinux-refpolicy@vger.kernel.org" 
	<selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH 2/2] pam_faillock creates files in /run/faillock
Date: Sun, 23 Dec 2018 17:09:21 +0100	[thread overview]
Message-ID: <20181223160921.GD20992@brutus.lan> (raw)
In-Reply-To: <20181223104648.GB20992@brutus.lan>

[-- Attachment #1: Type: text/plain, Size: 3438 bytes --]

On Sun, Dec 23, 2018 at 11:46:48AM +0100, Dominick Grift wrote:
> On Sun, Dec 23, 2018 at 11:20:00AM +0100, Dominick Grift wrote:
> > On Sat, Dec 22, 2018 at 02:58:41AM +0000, Sugar, David wrote:
> > > 
> > > On 12/21/18 5:34 AM, Dominick Grift wrote:
> > > > On Fri, Dec 21, 2018 at 01:41:25AM +0000, David Sugar wrote:
> > > >> These are changes needed when pam_fallock created files in /run/faillock
> > > >> (which is labeled faillog_t).  sudo and xdm (and probably other domains)
> > > >> will create files in this directory for successful and failed logins
> > > >> attempts.
> > > > The pam stuff has become a bit broken in my view.
> > > >
> > > > We use to use auth_use_pam() for these kinds of things but the interface was forgotten and not updated properly.
> > > >
> > > > So for example sudo does not even call auth_use_pam() and a lot of stuff was added directly to the login_pgm domain that should have been added to auth_use_pam() instead.
> > > >
> > > > My opinion is that this belongs in auth_use_pam()
> > > 
> > > Dominick,
> > > 
> > > I see those interfaces.  It looks like xdm_t already uses 
> > > auth_login_pgm_domain(xdm_t).  It also isn't really clear to me what the 
> > > difference is between auth_login_pgm_domain() and auth_use_pam().  I 
> > > will make updates moving my change into auth_use_pam() and also update 
> > > sudo_role_template() to use (I think) auth_login_pgm_domain ().
> > 
> > sudo is not an auth_login_pgm_domain() i believe
> > 
> > the auth_use_pam() is a subset of auth_login_pgm_domain()
> > 
> > so login_pgm domains are pam clients plus extras needed to log in users
> > 
> > a auth_use_pam() (pam client) has a pam stack but it might not actually do logins
> > 
> > sudo uses pam but its not a real login program, so afaik sudo should call auth_use_pam()
> > xdm is a login_pgm, so is sshd etc
> > 
> > systemd is also a pam client, but not a login program
> 
> And yes systemd needs to be able to create these /run/faillock/USER files as well, but if you test this on RHEL then you wont see it because
> RHEL doesnt use /etc/pam.d/systemd-user (i suppose)
> 
> so:
> 
> 1. auth_use_pam() == "pam clients" (programs that have a file in /etc/pam.d), they use pam for authentication of some sort
> 2, auth_login_pgm_domain() == superset (special pam clients that need permissions to do actual logins)

Another interesting detail is that pam_faillock clients need cap_dac_override to be able to write records to /run/faillock/USER files
I wonder whether that is a bug

for example sshd (root) creates /run/faillock/joe with joe.root and 0600 but then sshd (root) needs cap_dac_override to write records to that file
Probably should have created the files with 0660 ... to avoid the need for cap_dac_override...

> 
> > 
> > > 
> > > I will resubmit this patch,
> > > 
> > > --- snip ---
> > 
> > -- 
> > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> > Dominick Grift
> 
> 
> 
> -- 
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]