Skip to content

authlogin: allow pam_domain to read /usr/share/pam#1123

Open
thesamesam wants to merge 2 commits into
SELinuxProject:mainfrom
thesamesam:gentoo-973082
Open

authlogin: allow pam_domain to read /usr/share/pam#1123
thesamesam wants to merge 2 commits into
SELinuxProject:mainfrom
thesamesam:gentoo-973082

Conversation

@thesamesam
Copy link
Copy Markdown
Contributor

@thesamesam thesamesam commented May 17, 2026
edited
Loading

.. by allowing /usr overall. pam installs these configuration files there as its vendordir. It also does this since aea30822e2fa6f87faf2541da140f69dfdfee728.

(I think that commit message isn't quite right: it seems to do this regardless of libeconf support.)

This comes from auth_use_pam which sudo and su use:

AVC avc:  denied  { getattr } for  pid=239941 comm="su" path="/usr/share/pam/security/faillock.conf" dev="dm-0" ino=3227904748
scontext=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0
tclass=file

AVC avc:  denied  { read } for  pid=239938 comm="sudo" name="pam_env.conf" dev="dm-0" ino=3227906195
scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0
tclass=file

This is a followup to 169f725.

Bug: https://bugs.gentoo.org/973082

@thesamesam thesamesam marked this pull request as draft May 17, 2026 01:12
@0xC0ncord
Copy link
Copy Markdown
Contributor

0xC0ncord commented May 17, 2026
edited
Loading

I also hit this issue. I don't know if this is what is intended by upstream, but the PAM ebuild is now installing files that used to be in /etc/security to /usr/share/pam/security. I think the correct fix is to use filecons rather than to allow reading usr_t files. We must also make sure that /usr/share/pam/security/namespace.init is labeled bin_t so that pam_namespace continues to work.

EDIT: A file equivalence rule will do exactly what we need.

@thesamesam
Copy link
Copy Markdown
Contributor Author

thesamesam commented May 17, 2026
edited
Loading

I think the change was intentional but the commit message didn't get updated. If you look at the bugs/pr the Pam commit is from, it seems they were OK with it.

Please feel free to have a go: I'm happy to try but I'm wading through a bunch of avcs and learning as I go so I don't mind if you take it over!

@WavyEbuilder
Copy link
Copy Markdown
Contributor

WavyEbuilder commented May 17, 2026

I also hit this issue. I don't know if this is what is intended by upstream, but the PAM ebuild is now installing files that used to be in /etc/security to /usr/share/pam/security. I think the correct fix is to use filecons rather than to allow reading usr_t files. We must also make sure that /usr/share/pam/security/namespace.init is labeled bin_t so that pam_namespace continues to work.

EDIT: A file equivalence rule will do exactly what we need.

/usr/share/pam/security/namespace.init

Oh hm, that makes it a little tricky.

EDIT: A file equivalence rule will do exactly what we need.

subs_dist sounds good to me however:

I think the correct fix is to use filecons rather than to allow reading usr_t files.

I still think (in the future) ideally we should move to a private type. In my opinion, given the nature of PAM configuration files, they should not be etc_t as that's a bit too broad. So a private type with files_security_file() in my opinion

0xC0ncord added a commit to 0xC0ncord/refpolicy that referenced this pull request May 17, 2026
@0xC0ncord
file_contexts: make /usr/share/pam equivalent to /etc
35fa8d3 
PAM 1.7.2 makes the vendordir build option the default. This puts PAM's
config files in /usr/share/pam rather than /etc. Unfortunately this
makes the default file contexts for these files usr_t which breaks many
things.

Fix this by adding a file equivalence rule for /usr/share/pam.

Bug: https://bugs.gentoo.org/973082
Closes: SELinuxProject#1123
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
@0xC0ncord 0xC0ncord mentioned this pull request May 17, 2026
Open
@thesamesam
Copy link
Copy Markdown
Contributor Author

thesamesam commented May 18, 2026

The pam_namespace thing makes sense, let's go with #1125. Thank you!

@thesamesam thesamesam closed this May 18, 2026
@thesamesam thesamesam deleted the gentoo-973082 branch May 18, 2026 04:15
@thesamesam thesamesam restored the gentoo-973082 branch May 27, 2026 12:06
@thesamesam thesamesam reopened this May 27, 2026
@thesamesam thesamesam marked this pull request as ready for review May 27, 2026 12:10
@thesamesam
authlogin: allow pam_domain to read /usr/share/pam
6aeb605 
.. by allowing /usr overall. pam installs these configuration files there
as its `vendordir`. It also does this since aea30822e2fa6f87faf2541da140f69dfdfee728.

(I think that commit message isn't quite right: it seems to do this regardless
of libeconf support.)

This comes from auth_use_pam which sudo and su use:
```
AVC avc:  denied  { getattr } for  pid=239941 comm="su" path="/usr/share/pam/security/faillock.conf" dev="dm-0" ino=3227904748
scontext=staff_u:sysadm_r:sysadm_su_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0
tclass=file

AVC avc:  denied  { read } for  pid=239938 comm="sudo" name="pam_env.conf" dev="dm-0" ino=3227906195
scontext=staff_u:staff_r:staff_sudo_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0
tclass=file
```

This is a followup to 169f725.

Bug: https://bugs.gentoo.org/973082
See-also: SELinuxProject#1125
Signed-off-by: Sam James <sam@gentoo.org>
@thesamesam
corecommands: label /usr/share/pam/security/namespace.init as bin_t
2cc5c82 
Per SELinuxProject#1125 (comment),
pam_namespace tries /etc/security/namespace.init then /usr/share/pam/security/namespace.init,
so it needs to be bin_t.

Closes: SELinuxProject#1125
Signed-off-by: Sam James <sam@gentoo.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@thesamesam @0xC0ncord @WavyEbuilder