Redhat – pam_exec: permission denied due to selinux

pamredhatselinux

I have a RHEL 6.0, and I configured pam_exec to run a custom authentication method through a bash script. If SE Linux is disabled everything works as expected, but when I enable SELinux I get a permission denied error when pam_exec tries to execute the script. How can I tell SELinux to allow this script to be executed when a user tries to log in?

/etc/pam.d/password-auth

auth        sufficient    pam_exec.so expose_authtok seteuid /opt/myscript.sh

audit.log

type=AVC msg=audit(1496962765.610:24707): avc:  denied  { execute } for  pid=7476 comm="gdm-session-wor" name="myscript.sh" dev=dm-0 ino=21416 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file

Best Answer

The script has a different security context that doesn't allow pam_exec to run it. The pam_exec process is running with context system_u:system_r:xdm_t:s0-s0:c0.c1023 whereas the script has a context of unconfined_u:object_r:usr_t:s0.

You'll need to change the script type to allow pam_exec to run it; e.g. via chcon -t xdm_t script_name (you may have to change other file attributes/ownership to allow pam_exec to run the script).

That should allow you to test the script, though you may have to change the type back if you need to run the script yourself. The change won't survive reboots or filesystem relabels though; for that, you'll need to run /usr/sbin/semanage fcontext -a -t xdm_t /full/path/to/script to record the change.

Related Solutions

SELinux AVC denies at boot

The target types are file_t. That normally is the case where no type was ever set on the file and that is the default.

You'll need to relabel the filesystem in order to get things going again.

Normally the command fixfiles is used for this on redhat but I'm pretty sure that relates to RPM databases for some work so isn't likely as relevent in gentoo. You should be able to use restorecon though.

You'll need to boot into a permissive mode to try and relabel the filesystem.

Redhat Apache fast-cgi selinux permissions

Running FastCGI your way leaves a big security hole: the PHP interpreter is run as user "httpd" (at least I can't see anything about suexec here).

We have a working setup with SELinux and PHP as FastCGI here at CentOS 6, but it was really tricky to get everything working.

A few tips for the start:

you don't need to reboot to disable/enable selinux - just use the command "setenforce 0" or "setenforce 1" :)
always try to get everything working with SELinux disabled, then enable it and have a look at audit.log

Here we go:

enable suexec
change SELinux type for php.fcgi to httpd_fastcgi_script_exec_t
your FastCGI starter (php.fcgi) should not be writable by the user owning it (otherwise he can tweak many settings and limits). Give it the "immutable" flag: chattr +i php.fcgi

suexec has some trouble with FastCGI, so we have to make it permissive:

yum install policycoreutils-python
semanage permissive -a httpd_suexec_t

Good luck!

Best Answer

Related Solutions

SELinux AVC denies at boot

Redhat Apache fast-cgi selinux permissions

Related Topic