From 9ecceccc71d2770ad9991cc6ede5b259c7b21647 Mon Sep 17 00:00:00 2001 From: Milos Malik Date: Jun 08 2021 18:33:36 +0000 Subject: add new test which uses pam_limits and nonewprivs The pam_limits.so module can apply various limits on users, groups and other domains. Purpose of this TC is to find out if these limits do not interfere with current SELinux policy. If nonewprivs limit is used on confined or unconfined users, SELinux denials with { nnp_transition } appear when users log in. The TC reproduces the situation. I believe this operation should be allowed to make the security feature work. The TC looks for appropriate SELinux policy rules. The TC covers BZ#1958819. --- diff --git a/selinux-policy/pam_limits-and-related/Makefile b/selinux-policy/pam_limits-and-related/Makefile new file mode 100644 index 0000000..2fb85ca --- /dev/null +++ b/selinux-policy/pam_limits-and-related/Makefile @@ -0,0 +1,69 @@ +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Makefile of /CoreOS/selinux-policy/Regression/pam_limits-and-related +# Description: Does SELinux cooperate with pam_limits.so? +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2020 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +export TEST=/CoreOS/selinux-policy/Regression/pam_limits-and-related +export TESTVERSION=1.0 + +BUILT_FILES= + +FILES=$(METADATA) runtest.sh Makefile PURPOSE ssh.exp + +.PHONY: all install download clean + +run: $(FILES) build + ./runtest.sh + +build: $(BUILT_FILES) + chmod a+x runtest.sh ssh.exp + chcon -t bin_t runtest.sh ssh.exp + +clean: + rm -f *~ $(BUILT_FILES) + +include /usr/share/rhts/lib/rhts-make.include + +$(METADATA): Makefile + @echo "Owner: Milos Malik " > $(METADATA) + @echo "Name: $(TEST)" >> $(METADATA) + @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) + @echo "Path: $(TEST_DIR)" >> $(METADATA) + @echo "Description: Does SELinux cooperate with pam_limits.so?" >> $(METADATA) + @echo "Type: Regression" >> $(METADATA) + @echo "TestTime: 10m" >> $(METADATA) + @echo "RunFor: pam" >> $(METADATA) + @echo "RunFor: selinux-policy" >> $(METADATA) + @echo "Requires: audit libselinux libselinux-utils policycoreutils selinux-policy selinux-policy-targeted setools-console expect openssh-clients pam shadow-utils" >> $(METADATA) + @echo "RhtsRequires: library(selinux-policy/common)" >> $(METADATA) + @echo "Environment: AVC_ERROR=+no_avc_check" >> $(METADATA) + @echo "Priority: Normal" >> $(METADATA) + @echo "License: GPLv2" >> $(METADATA) + @echo "Confidential: no" >> $(METADATA) + @echo "Destructive: no" >> $(METADATA) + @echo "Releases: -RHEL4 -RHEL5 -RHEL6 -RHEL7" >> $(METADATA) + @echo "Bug: 1958819" >> $(METADATA) # Fedora 34 + + rhts-lint $(METADATA) + diff --git a/selinux-policy/pam_limits-and-related/PURPOSE b/selinux-policy/pam_limits-and-related/PURPOSE new file mode 100644 index 0000000..9b9e9c4 --- /dev/null +++ b/selinux-policy/pam_limits-and-related/PURPOSE @@ -0,0 +1,10 @@ +PURPOSE of /CoreOS/selinux-policy/Regression/pam_limits-and-related +Author: Milos Malik + +Does SELinux cooperate with pam_limits.so? +Confined and unconfined users are tested using SSH. + +This TC uses following parameters which can be overriden: + * ALLOWED_USERS - which SELinux users should be tested? + * DENIED_USERS - which SELinux users should NOT be tested? + diff --git a/selinux-policy/pam_limits-and-related/main.fmf b/selinux-policy/pam_limits-and-related/main.fmf new file mode 100644 index 0000000..7d613d7 --- /dev/null +++ b/selinux-policy/pam_limits-and-related/main.fmf @@ -0,0 +1,2 @@ +path: /selinux-policy/pam_limits-and-related +tier: 2 diff --git a/selinux-policy/pam_limits-and-related/runtest.sh b/selinux-policy/pam_limits-and-related/runtest.sh new file mode 100755 index 0000000..d9c6a3e --- /dev/null +++ b/selinux-policy/pam_limits-and-related/runtest.sh @@ -0,0 +1,89 @@ +#!/bin/bash +# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# runtest.sh of /CoreOS/selinux-policy/Regression/pam_limits-and-related +# Description: Does SELinux cooperate with pam_limits.so? +# Author: Milos Malik +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# +# Copyright (c) 2020 Red Hat, Inc. All rights reserved. +# +# This copyrighted material is made available to anyone wishing +# to use, modify, copy, or redistribute it subject to the terms +# and conditions of the GNU General Public License version 2. +# +# This program is distributed in the hope that it will be +# useful, but WITHOUT ANY WARRANTY; without even the implied +# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR +# PURPOSE. See the GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public +# License along with this program; if not, write to the Free +# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, +# Boston, MA 02110-1301, USA. +# +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +# Include Beaker environment +. /usr/bin/rhts-environment.sh || exit 1 +. /usr/share/beakerlib/beakerlib.sh || exit 1 + +PACKAGE="selinux-policy" +SERVICE_PACKAGE="pam" +DENIED_USERS=${DENIED_USERS:-""} +ALLOWED_USERS=${ALLOWED_USERS:-"guest_u xguest_u user_u staff_u sysadm_u unconfined_u"} + +rlJournalStart + rlPhaseStartSetup + rlRun "rlImport 'selinux-policy/common'" + rlSESatisfyRequires + rlAssertRpm ${PACKAGE} + rlAssertRpm ${PACKAGE}-targeted + rlAssertRpm ${SERVICE_PACKAGE} + + rlFileBackup /etc/shadow + rlFileBackup /etc/security/limits.conf + + rlSESetEnforce + rlSEStatus + rlSESetTimestamp + sleep 2 + rlPhaseEnd + + rlPhaseStartTest "bz#1958819" + rlSESearchRule "allow init_t guest_t : process2 { nnp_transition } [ ]" + rlSESearchRule "allow init_t staff_t : process2 { nnp_transition } [ ]" + rlSESearchRule "allow init_t sysadm_t : process2 { nnp_transition } [ ]" + rlSESearchRule "allow init_t unconfined_t : process2 { nnp_transition } [ ]" + rlSESearchRule "allow init_t user_t : process2 { nnp_transition } [ ]" + rlSESearchRule "allow init_t xguest_t : process2 { nnp_transition } [ ]" + rlPhaseEnd + + rlPhaseStartTest "real scenario -- confined users" + rlRun "setsebool ssh_sysadm_login on" + rlLog "configuration says not to test SELinux users: ${DENIED_USERS}" + for SELINUX_USER in ${ALLOWED_USERS} ; do + USER_NAME="user${RANDOM}" + USER_SECRET="S3kr3t${RANDOM}" + rlRun "useradd -Z ${SELINUX_USER} ${USER_NAME}" + rlRun "echo ${USER_SECRET} | passwd --stdin ${USER_NAME}" + rlRun "echo \"${USER_NAME} - nonewprivs 1\" >> /etc/security/limits.conf" + rlRun "restorecon -RvF /home/${USER_NAME}" + rlRun "./ssh.exp ${USER_NAME} ${USER_SECRET} localhost id" + rlRun "userdel -rfZ ${USER_NAME}" + sleep 10 + done + rlRun "setsebool ssh_sysadm_login off" + rlPhaseEnd + + rlPhaseStartCleanup + sleep 2 + rlSECheckAVC + + rlFileRestore + rlPhaseEnd +rlJournalPrintText +rlJournalEnd + diff --git a/selinux-policy/pam_limits-and-related/ssh.exp b/selinux-policy/pam_limits-and-related/ssh.exp new file mode 100755 index 0000000..58c9647 --- /dev/null +++ b/selinux-policy/pam_limits-and-related/ssh.exp @@ -0,0 +1,20 @@ +#!/usr/bin/expect -f +# Expect script for SSH logging as $username to $hostname using $password and executing $command. +# Usage: +# ./ssh.exp username password hostname command +set username [lrange $argv 0 0] +set password [lrange $argv 1 1] +set hostname [lrange $argv 2 2] +set command [lrange $argv 3 10] +set timeout 15 +# connect to remote host and execute given command +log_user 1 +spawn ssh -t $username@$hostname $command +expect { + -nocase "yes/no" { send -- "yes\r" ; exp_continue } + -nocase "password" { send -- "$password\r" } +} +log_user 1 +# send -- "\r" +expect eof +