[MDEV-18374] SELinux breaks cracklib_password_check plugin - Jira

Geoff Montee (Inactive) created issue - 2019-01-24 23:58

Geoff Montee (Inactive) made changes - 2019-01-24 23:58

Field	Original Value	New Value
Link		This issue relates to CDOC-2 [ CDOC-2 ]

Geoff Montee (Inactive) made changes - 2019-01-25 01:39

Link

This issue relates to ~~MDEV-10160~~ [ ~~MDEV-10160~~ ]

Geoff Montee (Inactive) made changes - 2019-01-25 01:48

Description

The cracklib_password_check plugin is known to have problems with SELinux:

https://mariadb.com/kb/en/library/cracklib-password-check-plugin/#selinux

Since the plugin is in its own package anyway on all distributions where we provide it, maybe that package should also install an SELinux policy? The following one seems to work:

{noformat}
cd /usr/share/mysql/policy/selinux/
tee ./mariadb-plugin-cracklib-password-check.te <<EOF

module mariadb-plugin-cracklib-password-check 1.0;

require {
        type mysqld_t;
        type crack_db_t;
        class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink };
        class dir { write search getattr add_name read remove_name open };
}

allow mysqld_t crack_db_t:dir { search read open };
allow mysqld_t crack_db_t:file { getattr read open };
EOF
sudo yum install selinux-policy-devel
make -f /usr/share/selinux/devel/Makefile mariadb-plugin-cracklib-password-check.pp
sudo semodule -i mariadb-plugin-cracklib-password-check.pp
{noformat}

The cracklib_password_check plugin is known to have problems with SELinux:

https://mariadb.com/kb/en/library/cracklib-password-check-plugin/#selinux

Since the plugin is in its own package anyway on all distributions where we provide it, maybe that package should also install an SELinux policy? The following one seems to work:

{noformat}
cd /usr/share/mysql/policy/selinux/
tee ./mariadb-plugin-cracklib-password-check.te <<EOF

module mariadb-plugin-cracklib-password-check 1.0;

require {
        type mysqld_t;
        type crack_db_t;
        class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink };
        class dir { write search getattr add_name read remove_name open };
}

allow mysqld_t crack_db_t:dir { search read open };
allow mysqld_t crack_db_t:file { getattr read open };
EOF
sudo yum install selinux-policy-devel
make -f /usr/share/selinux/devel/Makefile mariadb-plugin-cracklib-password-check.pp
sudo semodule -i mariadb-plugin-cracklib-password-check.pp
{noformat}

This policy gives the mysqld_t type access to files and directories in the crack_db_t context, which seems to be the correct one. For example:

{noformat}
[ec2-user@ip-172-30-0-249 cracklib_selinux]$ ls -ld --lcontext /usr/share/cracklib/
drwxr-xr-x. 2 system_u:object_r:crack_db_t:s0 root root 4096 Nov 9 2015 /usr/share/cracklib/
[ec2-user@ip-172-30-0-249 cracklib_selinux]$ ls -l --lcontext /usr/share/cracklib/
total 9192
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 360 Feb 6 2014 cracklib.magic
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 1024 Feb 6 2014 cracklib-small.hwm
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 250120 Feb 6 2014 cracklib-small.pwd
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 13232 Feb 6 2014 cracklib-small.pwi
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 1024 Feb 6 2014 pw_dict.hwm
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 8663484 Feb 6 2014 pw_dict.pwd
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 460232 Feb 6 2014 pw_dict.pwi
{noformat}

Geoff Montee (Inactive) made changes - 2019-01-25 02:06

Description

The cracklib_password_check plugin is known to have problems with SELinux:

https://mariadb.com/kb/en/library/cracklib-password-check-plugin/#selinux

Since the plugin is in its own package anyway on all distributions where we provide it, maybe that package should also install an SELinux policy? The following one seems to work:

{noformat}
cd /usr/share/mysql/policy/selinux/
tee ./mariadb-plugin-cracklib-password-check.te <<EOF

module mariadb-plugin-cracklib-password-check 1.0;

require {
        type mysqld_t;
        type crack_db_t;
        class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink };
        class dir { write search getattr add_name read remove_name open };
}

allow mysqld_t crack_db_t:dir { search read open };
allow mysqld_t crack_db_t:file { getattr read open };
EOF
sudo yum install selinux-policy-devel
make -f /usr/share/selinux/devel/Makefile mariadb-plugin-cracklib-password-check.pp
sudo semodule -i mariadb-plugin-cracklib-password-check.pp
{noformat}

This policy gives the mysqld_t type access to files and directories in the crack_db_t context, which seems to be the correct one. For example:

{noformat}
[ec2-user@ip-172-30-0-249 cracklib_selinux]$ ls -ld --lcontext /usr/share/cracklib/
drwxr-xr-x. 2 system_u:object_r:crack_db_t:s0 root root 4096 Nov 9 2015 /usr/share/cracklib/
[ec2-user@ip-172-30-0-249 cracklib_selinux]$ ls -l --lcontext /usr/share/cracklib/
total 9192
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 360 Feb 6 2014 cracklib.magic
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 1024 Feb 6 2014 cracklib-small.hwm
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 250120 Feb 6 2014 cracklib-small.pwd
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 13232 Feb 6 2014 cracklib-small.pwi
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 1024 Feb 6 2014 pw_dict.hwm
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 8663484 Feb 6 2014 pw_dict.pwd
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 460232 Feb 6 2014 pw_dict.pwi
{noformat}

The cracklib_password_check plugin is known to have problems with SELinux:

https://mariadb.com/kb/en/library/cracklib-password-check-plugin/#selinux

Since the plugin is in its own package anyway on all distributions where we provide it, maybe that package should also install an SELinux policy? The following one seems to work:

{noformat}
cd /usr/share/mysql/policy/selinux/
tee ./mariadb-plugin-cracklib-password-check.te <<EOF

module mariadb-plugin-cracklib-password-check 1.0;

require {
        type mysqld_t;
        type crack_db_t;
        class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink };
        class dir { write search getattr add_name read remove_name open };
}

allow mysqld_t crack_db_t:dir { search read open };
allow mysqld_t crack_db_t:file { getattr read open };
EOF
sudo yum install selinux-policy-devel
make -f /usr/share/selinux/devel/Makefile mariadb-plugin-cracklib-password-check.pp
sudo semodule -i mariadb-plugin-cracklib-password-check.pp
{noformat}

This policy gives the mysqld_t type access to files and directories in the crack_db_t context, which seems to be the correct one. We can see based on the following output:

{noformat}
[ec2-user@ip-172-30-0-249 cracklib_selinux]$ ls -ld --lcontext /usr/share/cracklib/
drwxr-xr-x. 2 system_u:object_r:crack_db_t:s0 root root 4096 Nov 9 2015 /usr/share/cracklib/
[ec2-user@ip-172-30-0-249 cracklib_selinux]$ ls -l --lcontext /usr/share/cracklib/
total 9192
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 360 Feb 6 2014 cracklib.magic
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 1024 Feb 6 2014 cracklib-small.hwm
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 250120 Feb 6 2014 cracklib-small.pwd
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 13232 Feb 6 2014 cracklib-small.pwi
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 1024 Feb 6 2014 pw_dict.hwm
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 8663484 Feb 6 2014 pw_dict.pwd
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0 root root 460232 Feb 6 2014 pw_dict.pwi
{noformat}

The policy appears to work:

{noformat}
[ec2-user@ip-172-30-0-249 cracklib_selinux]$ getenforce
Enforcing
[ec2-user@ip-172-30-0-249 cracklib_selinux]$ mysql -u root
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 4
Server version: 10.1.37-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> INSTALL SONAME 'cracklib_password_check';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> SHOW GLOBAL VARIABLES LIKE 'cracklib_password_check_dictionary';
+------------------------------------+-----------------------------+
| Variable_name | Value |
+------------------------------------+-----------------------------+
| cracklib_password_check_dictionary | /usr/share/cracklib/pw_dict |
+------------------------------------+-----------------------------+
1 row in set (0.00 sec)

MariaDB [(none)]> CREATE USER 'alice'@'localhost' IDENTIFIED BY 'asdf15692';
Query OK, 0 rows affected (0.03 sec)

MariaDB [(none)]> CREATE USER 'bob'@'localhost' IDENTIFIED BY 'password';
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
MariaDB [(none)]> SHOW WARNINGS;
+---------+------+----------------------------------------------------------------+
| Level | Code | Message |
+---------+------+----------------------------------------------------------------+
| Warning | 1819 | cracklib: it is based on a dictionary word |
| Error | 1819 | Your password does not satisfy the current policy requirements |
| Error | 1396 | Operation CREATE USER failed for 'bob'@'localhost' |
+---------+------+----------------------------------------------------------------+
3 rows in set (0.00 sec)
{noformat}

Geoff Montee (Inactive) made changes - 2020-05-20 01:51

Assignee

Sergei Golubchik [ serg ]

Ralf Gebhardt [ ralf.gebhardt@mariadb.com ]

Julien Fritsch made changes - 2020-11-06 16:00

Fix Version/s

10.1 [ 16100 ]

Sergei Golubchik made changes - 2020-12-15 12:50

Issue Type

Task [ 3 ]

Bug [ 1 ]

Sergei Golubchik made changes - 2020-12-15 12:50

Affects Version/s		10.2 [ 14601 ]
Affects Version/s		10.3 [ 22126 ]
Affects Version/s		10.4 [ 22408 ]
Affects Version/s		10.5 [ 23123 ]

Sergei Golubchik made changes - 2020-12-15 12:51

Summary

Add SELinux policy to cracklib_password_check packages

SELinux breaks cracklib_password_check plugin

Sergei Golubchik made changes - 2020-12-15 12:51

Assignee

Ralf Gebhardt [ ralf.gebhardt@mariadb.com ]

Nikita Malyavin [ nikitamalyavin ]

Sergei Golubchik made changes - 2021-12-06 21:33

Workflow

MariaDB v3 [ 92050 ]

MariaDB v4 [ 141122 ]

Elena Stepanova made changes - 2022-06-13 13:17

Affects Version/s

10.5 [ 23123 ]

Ralf Gebhardt made changes - 2022-08-04 08:44

Fix Version/s

10.2 [ 14601 ]

Julien Fritsch made changes - 2023-04-27 14:18

Fix Version/s

10.3 [ 22126 ]

Andrew Hutchings (Inactive) made changes - 2023-07-26 10:13

issue.field.resolutiondate

2023-07-26 10:13:39.0

2023-07-26 10:13:39.121

Andrew Hutchings (Inactive) made changes - 2023-07-26 10:13

Fix Version/s		10.4.31 [ 29010 ]
Fix Version/s	10.4 [ 22408 ]
Resolution		Fixed [ 1 ]
Status	Open [ 1 ]	Closed [ 6 ]

Ralf Gebhardt made changes - 2023-08-22 19:36

Fix Version/s		11.2.1 [ 29034 ]
Fix Version/s		11.1.2 [ 28921 ]
Fix Version/s		11.0.3 [ 28920 ]
Fix Version/s		10.11.5 [ 29019 ]
Fix Version/s		10.10.6 [ 29017 ]
Fix Version/s		10.9.8 [ 29015 ]
Fix Version/s		10.6.15 [ 29013 ]
Fix Version/s		10.5.22 [ 29011 ]

MariaDB Server

SELinux breaks cracklib_password_check plugin

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration