Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-18374

Add SELinux policy to cracklib_password_check packages

    Details

      Description

      The cracklib_password_check plugin is known to have problems with SELinux:

      https://mariadb.com/kb/en/library/cracklib-password-check-plugin/#selinux

      Since the plugin is in its own package anyway on all distributions where we provide it, maybe that package should also install an SELinux policy? The following one seems to work:

      cd /usr/share/mysql/policy/selinux/
      tee ./mariadb-plugin-cracklib-password-check.te <<EOF
       
      module mariadb-plugin-cracklib-password-check 1.0;
       
      require {
              type mysqld_t;
              type crack_db_t;
              class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink };
              class dir { write search getattr add_name read remove_name open };
      }
       
      allow mysqld_t crack_db_t:dir { search read open };
      allow mysqld_t crack_db_t:file { getattr read open };
      EOF
      sudo yum install selinux-policy-devel
      make -f /usr/share/selinux/devel/Makefile mariadb-plugin-cracklib-password-check.pp
      sudo semodule -i mariadb-plugin-cracklib-password-check.pp
      

      This policy gives the mysqld_t type access to files and directories in the crack_db_t context, which seems to be the correct one. We can see based on the following output:

      [ec2-user@ip-172-30-0-249 cracklib_selinux]$ ls -ld --lcontext /usr/share/cracklib/
      drwxr-xr-x. 2 system_u:object_r:crack_db_t:s0  root root 4096 Nov  9  2015 /usr/share/cracklib/
      [ec2-user@ip-172-30-0-249 cracklib_selinux]$ ls -l --lcontext /usr/share/cracklib/
      total 9192
      -rw-r--r--. 1 system_u:object_r:crack_db_t:s0  root root     360 Feb  6  2014 cracklib.magic
      -rw-r--r--. 1 system_u:object_r:crack_db_t:s0  root root    1024 Feb  6  2014 cracklib-small.hwm
      -rw-r--r--. 1 system_u:object_r:crack_db_t:s0  root root  250120 Feb  6  2014 cracklib-small.pwd
      -rw-r--r--. 1 system_u:object_r:crack_db_t:s0  root root   13232 Feb  6  2014 cracklib-small.pwi
      -rw-r--r--. 1 system_u:object_r:crack_db_t:s0  root root    1024 Feb  6  2014 pw_dict.hwm
      -rw-r--r--. 1 system_u:object_r:crack_db_t:s0  root root 8663484 Feb  6  2014 pw_dict.pwd
      -rw-r--r--. 1 system_u:object_r:crack_db_t:s0  root root  460232 Feb  6  2014 pw_dict.pwi
      

      The policy appears to work:

      [ec2-user@ip-172-30-0-249 cracklib_selinux]$ getenforce
      Enforcing
      [ec2-user@ip-172-30-0-249 cracklib_selinux]$ mysql -u root
      Welcome to the MariaDB monitor.  Commands end with ; or \g.
      Your MariaDB connection id is 4
      Server version: 10.1.37-MariaDB MariaDB Server
       
      Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
       
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
       
      MariaDB [(none)]> INSTALL SONAME 'cracklib_password_check';
      Query OK, 0 rows affected (0.00 sec)
       
      MariaDB [(none)]> SHOW GLOBAL VARIABLES LIKE 'cracklib_password_check_dictionary';
      +------------------------------------+-----------------------------+
      | Variable_name                      | Value                       |
      +------------------------------------+-----------------------------+
      | cracklib_password_check_dictionary | /usr/share/cracklib/pw_dict |
      +------------------------------------+-----------------------------+
      1 row in set (0.00 sec)
       
      MariaDB [(none)]> CREATE USER 'alice'@'localhost' IDENTIFIED BY 'asdf15692';
      Query OK, 0 rows affected (0.03 sec)
       
      MariaDB [(none)]> CREATE USER 'bob'@'localhost' IDENTIFIED BY 'password';
      ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
      MariaDB [(none)]> SHOW WARNINGS;
      +---------+------+----------------------------------------------------------------+
      | Level   | Code | Message                                                        |
      +---------+------+----------------------------------------------------------------+
      | Warning | 1819 | cracklib: it is based on a dictionary word                     |
      | Error   | 1819 | Your password does not satisfy the current policy requirements |
      | Error   | 1396 | Operation CREATE USER failed for 'bob'@'localhost'             |
      +---------+------+----------------------------------------------------------------+
      3 rows in set (0.00 sec)
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                serg Sergei Golubchik
                Reporter:
                GeoffMontee Geoff Montee
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: