Login being denied without error in Fedora 7

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Login being denied without error in Fedora 7

Postby validius » Wed Nov 28, 2007 3:41 pm

I am running Fedora 7 (I have experienced this on both 32 bit and 64 bit). Under 2.6.19 and 2.6.23.9 i get the exact same behavior. With RBAC enabled i try to log in and after typing in the username the system sits for a second then resets login. The only message in the logs is from login and reads:

Code: Select all
localhost login: FATAL: bad tty


I have no idea what significance this has but i have found an interesting procedure that results in a successful login.

Step 1: With RBAC turned off try and log into a terminal giving a inforrect username and password.
Step 2: Switch to a different terminal enable RBAC.
Step 3: Return to the terminal mentioned in step 1 and supply a correct username and password, this time you are logged in successfully.

My RBAC template for login:
Code: Select all
subject /bin/login do {
        /               rx
        /bin/bash       x
        /dev            r
        /dev/log        rw
        /dev/random     r
        /dev/urandom    r
        /dev/null       rw
        /dev/ptmx       rw
        /dev/pts        rw
        /dev/tty        rw
        /dev/tty?       rw
        /etc            r
        /etc/grsec      h
        /root
        /proc           r
        /proc/*/loginuid        rw
        /proc/kcore     h
        /proc/sys       h
        /proc/sys/kernel/       h
        /proc/sys/kernel/ngroups_max    r
        /usr/lib        rx
        /usr/share/zoneinfo     r
        /var/log
        /var/mail
        /var/log/faillog        rcw
        /var/log/lastlog        rcw
        /var/log/wtmp           w
        /var/log/btmp           w
        /var/run/utmp           rw
        /var/run/btmp           rw
        /var/run/console        r
        /var/run/console/*      rwcd
        /var/run/dbus/system_bus_socket         rw

        -CAP_ALL
        +CAP_CHOWN
        +CAP_SETGID
        +CAP_SETUID
        +CAP_SYS_CHROOT
        +CAP_SYS_RESOURCE
        +CAP_SYS_TTY_CONFIG
        +CAP_NET_ADMIN
        RES_CORE 10M 10M
}


RBAC Policy for mingetty:

Code: Select all
subject /sbin/mingetty {
        /dev
        /proc                   rx
        /proc/sys               h
        /dev/log        rw
        /var/log/wtmp   rw
        /dev/vc*                rw
        /dev/tty*               rw
        /dev/pts*               rw

        -CAP_ALL
        +CAP_CHOWN
        +CAP_SYS_TTY_CONFIG
}
validius
 
Posts: 2
Joined: Mon Oct 16, 2006 4:17 pm

Postby zakalwe » Wed Nov 28, 2007 7:09 pm

I think I had a similar issue with ttys, but with sshd. What happens if you remove the 'd' from the /bin/login subject?
zakalwe
 
Posts: 22
Joined: Mon Jul 10, 2006 9:40 am

Postby validius » Thu Nov 29, 2007 10:15 am

zakalwe wrote:I think I had a similar issue with ttys, but with sshd. What happens if you remove the 'd' from the /bin/login subject?


If i remove the d i can get a little further (it lets me put in my password). The end result is the same, no error, just a new login screen.
validius
 
Posts: 2
Joined: Mon Oct 16, 2006 4:17 pm

Postby Chris » Wed Dec 19, 2007 3:40 pm

I realize this post is a little old, but anyway, here is what I did. I was in the same situation with Fedora 7, and this worked for me. And yes, I do realize there is a CAP_ALL.

Code: Select all
subject /bin/login o {
        /               rx
        /etc/shadow     r
        /bin/bash       x
        /dev            r
        /dev/log        rw
        /dev/random     r
        /dev/urandom    r
        /dev/null       rw
        /dev/ptmx       rw
        /dev/pts        rw
        #/dev/tty        rw
        #/dev/tty?      rw
        /dev/tty0       rw
        /dev/tty1       rw
        /dev/tty2       rw
        /dev/tty3       rw
        /dev/tty4       rw
        /dev/tty5       rw
        /dev/tty6       rw
        /dev/tty7       rw
        /dev/tty8       rw
        /dev/console    rw
        /dev/tty        rw

        /etc            r
        /etc/grsec      h
        /root
        /proc           r
        /proc/*/loginuid        rw
        /proc/kcore     h
        /proc/sys       h
        /proc/sys/kernel/       h
        /proc/sys/kernel/ngroups_max    r
        /usr/lib        rx
        /usr/share/zoneinfo     r
        /var/log
        /var/mail
        /var/log/faillog        rcw
        /var/log/lastlog        rcw
        /var/log/wtmp           w
        /var/log/btmp           w
        /var/run/utmp           rw
        /var/run/btmp           rw
        /var/run/console        r
        /var/run/console/*      rwcd
        /var/run/dbus/system_bus_socket         rw

        +CAP_CHOWN
        +CAP_SETGID
        +CAP_SETUID
        +CAP_FOWNER
        +CAP_FSETID
        +CAP_SYS_TTY_CONFIG 
        +CAP_DAC_OVERRIDE
        +CAP_NET_ADMIN


        -CAP_SYS_CHROOT
        -CAP_SYS_RESOURCE
        -CAP_NET_BIND_SERVICE
        -CAP_DAC_READ_SEARCH
        -CAP_IPC_LOCK
        -CAP_IPC_OWNER
        -CAP_KILL
        -CAP_LEASE
        -CAP_LINUX_IMMUTABLE
        -CAP_MKNOD
        -CAP_NET_BROADCAST
        -CAP_NET_RAW
        -CAP_SETPCAP
        -CAP_SYS_ADMIN
        -CAP_SYS_BOOT
        -CAP_SYS_MODULE
        -CAP_SYS_NICE
        -CAP_SYS_PACCT
        -CAP_SYS_PTRACE
        -CAP_SYS_RAWIO
        -CAP_SYS_TIME
        RES_CORE 10M 10M
}
Chris
 
Posts: 1
Joined: Wed Dec 19, 2007 1:14 pm


Return to grsecurity support