Cannot not open session

Cannot not open session

[Alan Rouse]

Two questions:

1. I'm working with selinux in opensuse.  With selinux in enforcing mode, su is not working.  For example, suppose root tries to su to an unprivileged user.  I'm asked if I would like to enter a security context [N].  If I say no, it responds "su: cannot not open session:  Authentication failure".   With selinux in permissive mode, it works... and no avc messages are logged.   

Any idea what I have done wrong?

2.  When I try to su to an unprivileged user, and it asks if I would like to enter a security context, suppose I say yes.  It asks for a role, and I enter 'user_r'.  then it asks for a level.  What kind of answer does it expect here?  Nothing I've tried works....

Thanks!



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Cannot not open session

[Stephen Smalley]

On Fri, 2010-04-09 at 08:16 -0400, Alan Rouse wrote:
> Two questions:
> 
> 1. I'm working with selinux in opensuse.  With selinux in enforcing mode, su is not working.  For example, suppose root tries to su to an unprivileged user.  I'm asked if I would like to enter a security context [N].  If I say no, it responds "su: cannot not open session:  Authentication failure".   With selinux in permissive mode, it works... and no avc messages are logged.   
> 
> Any idea what I have done wrong?
> 
> 2.  When I try to su to an unprivileged user, and it asks if I would like to enter a security context, suppose I say yes.  It asks for a role, and I enter 'user_r'.  then it asks for a level.  What kind of answer does it expect here?  Nothing I've tried works....

Remove pam_selinux from /etc/pam.d/su.

Early Fedora and RHEL-4 put pam_selinux in /etc/pam.d/su in an effort to
automatically change contexts upon user identity changes.  This proved
to be a mistake in practice (and a deviation from the original SELinux
approach), and was subsequently removed in later Fedora and RHEL-5.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Cannot not open session

[Michal Svoboda]

[-- Attachment #1: Type: text/plain, Size: 468 bytes --]

Stephen Smalley wrote:
> Early Fedora and RHEL-4 put pam_selinux in /etc/pam.d/su in an effort to
> automatically change contexts upon user identity changes.  This proved
> to be a mistake in practice (and a deviation from the original SELinux
> approach), and was subsequently removed in later Fedora and RHEL-5.

BTW, is there any further explanation of why this is a mistake? And
question #2, I think sudo still does this, isn't that a mistake too?

Michal Svoboda

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: Cannot not open session

[Stephen Smalley]

On Fri, 2010-04-09 at 14:52 +0200, Michal Svoboda wrote:
> Stephen Smalley wrote:
> > Early Fedora and RHEL-4 put pam_selinux in /etc/pam.d/su in an effort to
> > automatically change contexts upon user identity changes.  This proved
> > to be a mistake in practice (and a deviation from the original SELinux
> > approach), and was subsequently removed in later Fedora and RHEL-5.
> 
> BTW, is there any further explanation of why this is a mistake? And
> question #2, I think sudo still does this, isn't that a mistake too?

With the original (and current approach), su isn't especially trusted
with respect to SELinux, the set of reachable contexts within a login
session can be bounded with respect to the starting context, and you can
switch Linux uid while staying in the same SELinux context.  With
pam_selinux in /etc/pam.d/su, su becomes highly trusted with respect to
SELinux, any context can potentially be reached from any other context,
and you cannot switch Linux uid while staying in the same SELinux
context (at least via su).

The sudo SELinux support differs in that:
- by default (in the absence of command line options or sudoers
configuration), there is no context change, so we retain the ability to
sudo while staying in context, and
- sudo only supports switching role (and type), not SELinux user or
level, so reachable contexts remain bounded based on the SELinux user
and level is preserved, and the amount of trust extended to sudo is more
alike to that of newrole than to that of login.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.