Pam_selinux behavior incorrect?

W. Michael Petullo mike at flyn.org
Fri May 14 03:34:20 UTC 2004 

>> I am very interested in hearing opinions/input on the following bug:
>> 
>> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=121650
>> 
>> To summarize:
>> 
>> The su command, included in the coreutils package, does not interact
>> with pam_selinux correctly.  Su calls pam_open_session before forking
>> to create a user's shell.  Since pam_selinux is executed before
>> forking, the SELinux domain of both the user's shell and the parent su
>> process are modified.  The result of this is that any PAM modules that
>> are run by pam_close_session when the user logs out are executed with
>> the user's SELinux security context instead of su's (user_t vs.
>> user_su_t).
>> 
>> The catch-22 is that if pam_open_session is called by the child after
>> the fork then the parent's pam_close_session with have no knowlege
>> that there is an open session.
>> 
>> This all contradicts with how su treats traditional Unix UID handling.
>> Su changes its UIDs to the user after it forks so that the parent su
>> process continues to execute as root.  The result of this is that,
>> when using the traditional Unix security model, modules executed by
>> pam_close_session have root privileges.  I would argue that this is the
>> correct behavior.
>> 
>> I think /bin/login is in the same boat.
> 
> IIRC, on pam_open_session, pam_selinux sets the exec context for the
> process to the appropriate context for the user, so that any
> subsequently executed programs will transition into that context.  On
> pam_close_session, pam_selinux restores the exec context to its original
> value, so any subsequently executed programs will revert to the prior
> behavior.  The principal concern seems to be the impact on helper
> programs executed by other pam session modules invoked after pam_selinux
> when opening a session, and the impact on helper programs executed by
> other pam session modules invoked before pam_selinux when closing a
> session, as any such helper programs will end up in the user's context.

Here is the new dilemma:

Imagine a module, call it pam_foo, that requires special privileges
to properly open and close a user's session.  Currently, one has two
basic configuration options:

session pam_foo     ...
session pam_selinux ...

 or

session pam_selinux ...
session pam_foo     ...

In the former, pam_foo will not have the needed privileges when the
session is to be closed (pam_selinux has not restored them yet).  In the
latter, pam_foo will not have the privileges needed to open the session
(pam_selinux has already taken them away).

One possible solution would be to modify PAM to invert the order in
which modules are executed by pam_close_session.  This seems to make
sense conceptually but I am not sure if this would be a violation of
the PAM standard.

At first I really liked the idea of doing this SELinux magic with PAM,
but now I am not so sure.  As Stephen pointed out, the traditional Unix
UID changes are not done using PAM.

-- 
Mike

:wq

More information about the fedora-selinux-list mailing list