Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-18374

Add SELinux policy to cracklib_password_check packages




      The cracklib_password_check plugin is known to have problems with SELinux:


      Since the plugin is in its own package anyway on all distributions where we provide it, maybe that package should also install an SELinux policy? The following one seems to work:

      cd /usr/share/mysql/policy/selinux/
      tee ./mariadb-plugin-cracklib-password-check.te <<EOF
      module mariadb-plugin-cracklib-password-check 1.0;
      require {
              type mysqld_t;
              type crack_db_t;
              class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink };
              class dir { write search getattr add_name read remove_name open };
      allow mysqld_t crack_db_t:dir { search read open };
      allow mysqld_t crack_db_t:file { getattr read open };
      sudo yum install selinux-policy-devel
      make -f /usr/share/selinux/devel/Makefile mariadb-plugin-cracklib-password-check.pp
      sudo semodule -i mariadb-plugin-cracklib-password-check.pp

      This policy gives the mysqld_t type access to files and directories in the crack_db_t context, which seems to be the correct one. We can see based on the following output:

      [ec2-user@ip-172-30-0-249 cracklib_selinux]$ ls -ld --lcontext /usr/share/cracklib/
      drwxr-xr-x. 2 system_u:object_r:crack_db_t:s0  root root 4096 Nov  9  2015 /usr/share/cracklib/
      [ec2-user@ip-172-30-0-249 cracklib_selinux]$ ls -l --lcontext /usr/share/cracklib/
      total 9192
      -rw-r--r--. 1 system_u:object_r:crack_db_t:s0  root root     360 Feb  6  2014 cracklib.magic
      -rw-r--r--. 1 system_u:object_r:crack_db_t:s0  root root    1024 Feb  6  2014 cracklib-small.hwm
      -rw-r--r--. 1 system_u:object_r:crack_db_t:s0  root root  250120 Feb  6  2014 cracklib-small.pwd
      -rw-r--r--. 1 system_u:object_r:crack_db_t:s0  root root   13232 Feb  6  2014 cracklib-small.pwi
      -rw-r--r--. 1 system_u:object_r:crack_db_t:s0  root root    1024 Feb  6  2014 pw_dict.hwm
      -rw-r--r--. 1 system_u:object_r:crack_db_t:s0  root root 8663484 Feb  6  2014 pw_dict.pwd
      -rw-r--r--. 1 system_u:object_r:crack_db_t:s0  root root  460232 Feb  6  2014 pw_dict.pwi

      The policy appears to work:

      [ec2-user@ip-172-30-0-249 cracklib_selinux]$ getenforce
      [ec2-user@ip-172-30-0-249 cracklib_selinux]$ mysql -u root
      Welcome to the MariaDB monitor.  Commands end with ; or \g.
      Your MariaDB connection id is 4
      Server version: 10.1.37-MariaDB MariaDB Server
      Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
      MariaDB [(none)]> INSTALL SONAME 'cracklib_password_check';
      Query OK, 0 rows affected (0.00 sec)
      MariaDB [(none)]> SHOW GLOBAL VARIABLES LIKE 'cracklib_password_check_dictionary';
      | Variable_name                      | Value                       |
      | cracklib_password_check_dictionary | /usr/share/cracklib/pw_dict |
      1 row in set (0.00 sec)
      MariaDB [(none)]> CREATE USER 'alice'@'localhost' IDENTIFIED BY 'asdf15692';
      Query OK, 0 rows affected (0.03 sec)
      MariaDB [(none)]> CREATE USER 'bob'@'localhost' IDENTIFIED BY 'password';
      ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
      MariaDB [(none)]> SHOW WARNINGS;
      | Level   | Code | Message                                                        |
      | Warning | 1819 | cracklib: it is based on a dictionary word                     |
      | Error   | 1819 | Your password does not satisfy the current policy requirements |
      | Error   | 1396 | Operation CREATE USER failed for 'bob'@'localhost'             |
      3 rows in set (0.00 sec)


          Issue Links



              ralf.gebhardt@mariadb.com Ralf Gebhardt
              GeoffMontee Geoff Montee
              0 Vote for this issue
              1 Start watching this issue