Details
Description
The cracklib_password_check plugin is known to have problems with SELinux:
https://mariadb.com/kb/en/library/cracklib-password-check-plugin/#selinux
Since the plugin is in its own package anyway on all distributions where we provide it, maybe that package should also install an SELinux policy? The following one seems to work:
cd /usr/share/mysql/policy/selinux/
|
tee ./mariadb-plugin-cracklib-password-check.te <<EOF
|
|
|
module mariadb-plugin-cracklib-password-check 1.0;
|
|
|
require {
|
type mysqld_t;
|
type crack_db_t;
|
class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink };
|
class dir { write search getattr add_name read remove_name open };
|
}
|
|
|
allow mysqld_t crack_db_t:dir { search read open };
|
allow mysqld_t crack_db_t:file { getattr read open };
|
EOF
|
sudo yum install selinux-policy-devel
|
make -f /usr/share/selinux/devel/Makefile mariadb-plugin-cracklib-password-check.pp
|
sudo semodule -i mariadb-plugin-cracklib-password-check.pp
|
This policy gives the mysqld_t type access to files and directories in the crack_db_t context, which seems to be the correct one. We can see based on the following output:
[ec2-user@ip-172-30-0-249 cracklib_selinux]$ ls -ld --lcontext /usr/share/cracklib/
|
drwxr-xr-x. 2 system_u:object_r:crack_db_t:s0 root root 4096 Nov 9 2015 /usr/share/cracklib/
|
[ec2-user@ip-172-30-0-249 cracklib_selinux]$ ls -l --lcontext /usr/share/cracklib/
|
total 9192
|
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 360 Feb 6 2014 cracklib.magic
|
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 1024 Feb 6 2014 cracklib-small.hwm
|
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 250120 Feb 6 2014 cracklib-small.pwd
|
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 13232 Feb 6 2014 cracklib-small.pwi
|
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 1024 Feb 6 2014 pw_dict.hwm
|
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 8663484 Feb 6 2014 pw_dict.pwd
|
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 460232 Feb 6 2014 pw_dict.pwi
|
The policy appears to work:
[ec2-user@ip-172-30-0-249 cracklib_selinux]$ getenforce
|
Enforcing
|
[ec2-user@ip-172-30-0-249 cracklib_selinux]$ mysql -u root
|
Welcome to the MariaDB monitor. Commands end with ; or \g.
|
Your MariaDB connection id is 4
|
Server version: 10.1.37-MariaDB MariaDB Server
|
|
|
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
|
|
|
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
|
|
|
MariaDB [(none)]> INSTALL SONAME 'cracklib_password_check';
|
Query OK, 0 rows affected (0.00 sec)
|
|
|
MariaDB [(none)]> SHOW GLOBAL VARIABLES LIKE 'cracklib_password_check_dictionary';
|
+------------------------------------+-----------------------------+
|
| Variable_name | Value |
|
+------------------------------------+-----------------------------+
|
| cracklib_password_check_dictionary | /usr/share/cracklib/pw_dict |
|
+------------------------------------+-----------------------------+
|
1 row in set (0.00 sec)
|
|
|
MariaDB [(none)]> CREATE USER 'alice'@'localhost' IDENTIFIED BY 'asdf15692';
|
Query OK, 0 rows affected (0.03 sec)
|
|
|
MariaDB [(none)]> CREATE USER 'bob'@'localhost' IDENTIFIED BY 'password';
|
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
|
MariaDB [(none)]> SHOW WARNINGS;
|
+---------+------+----------------------------------------------------------------+
|
| Level | Code | Message |
|
+---------+------+----------------------------------------------------------------+
|
| Warning | 1819 | cracklib: it is based on a dictionary word |
|
| Error | 1819 | Your password does not satisfy the current policy requirements |
|
| Error | 1396 | Operation CREATE USER failed for 'bob'@'localhost' |
|
+---------+------+----------------------------------------------------------------+
|
3 rows in set (0.00 sec)
|
Attachments
Issue Links
- relates to
-
MDEV-10160 enabled cracklib plugin blocks all password changes with SELINUX=enforcing
-
- Closed
-