Pam_selinux behavior incorrect?

W. Michael Petullo mike at flyn.org
Wed May 12 22:04:38 UTC 2004


I am very interested in hearing opinions/input on the following bug:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=121650

To summarize:

The su command, included in the coreutils package, does not interact
with pam_selinux correctly.  Su calls pam_open_session before forking
to create a user's shell.  Since pam_selinux is executed before
forking, the SELinux domain of both the user's shell and the parent su
process are modified.  The result of this is that any PAM modules that
are run by pam_close_session when the user logs out are executed with
the user's SELinux security context instead of su's (user_t vs.
user_su_t).

The catch-22 is that if pam_open_session is called by the child after
the fork then the parent's pam_close_session with have no knowlege
that there is an open session.

This all contradicts with how su treats traditional Unix UID handling.
Su changes its UIDs to the user after it forks so that the parent su
process continues to execute as root.  The result of this is that,
when using the traditional Unix security model, modules executed by
pam_close_session have root privileges.  I would argue that this is the
correct behavior.

I think /bin/login is in the same boat.

-- 
Mike

:wq



More information about the fedora-selinux-list mailing list