[MDEV-18374] SELinux breaks cracklib_password_check plugin Created: 2019-01-24  Updated: 2023-08-22  Resolved: 2023-07-26

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System, Plugins
Affects Version/s: 10.2, 10.3, 10.4
Fix Version/s: 10.4.31, 10.5.22, 10.6.15, 10.9.8, 10.10.6, 10.11.5, 11.0.3, 11.1.2, 11.2.1

Type: Bug Priority: Major
Reporter: Geoff Montee (Inactive) Assignee: Nikita Malyavin
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-10160 enabled cracklib plugin blocks all pa... Closed

 Description   

The cracklib_password_check plugin is known to have problems with SELinux:

https://mariadb.com/kb/en/library/cracklib-password-check-plugin/#selinux

Since the plugin is in its own package anyway on all distributions where we provide it, maybe that package should also install an SELinux policy? The following one seems to work:

cd /usr/share/mysql/policy/selinux/
 
tee ./mariadb-plugin-cracklib-password-check.te <<EOF
 
 
 
module mariadb-plugin-cracklib-password-check 1.0;
 
 
 
require {
 
        type mysqld_t;
 
        type crack_db_t;
 
        class file { execute setattr read create getattr execute_no_trans write ioctl open append unlink };
 
        class dir { write search getattr add_name read remove_name open };
 
}
 
 
 
allow mysqld_t crack_db_t:dir { search read open };
 
allow mysqld_t crack_db_t:file { getattr read open };
 
EOF
 
sudo yum install selinux-policy-devel
 
make -f /usr/share/selinux/devel/Makefile mariadb-plugin-cracklib-password-check.pp
 
sudo semodule -i mariadb-plugin-cracklib-password-check.pp

This policy gives the mysqld_t type access to files and directories in the crack_db_t context, which seems to be the correct one. We can see based on the following output:

[ec2-user@ip-172-30-0-249 cracklib_selinux]$ ls -ld --lcontext /usr/share/cracklib/
 
drwxr-xr-x. 2 system_u:object_r:crack_db_t:s0  root root 4096 Nov  9  2015 /usr/share/cracklib/
 
[ec2-user@ip-172-30-0-249 cracklib_selinux]$ ls -l --lcontext /usr/share/cracklib/
 
total 9192
 
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0  root root     360 Feb  6  2014 cracklib.magic
 
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0  root root    1024 Feb  6  2014 cracklib-small.hwm
 
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0  root root  250120 Feb  6  2014 cracklib-small.pwd
 
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0  root root   13232 Feb  6  2014 cracklib-small.pwi
 
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0  root root    1024 Feb  6  2014 pw_dict.hwm
 
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0  root root 8663484 Feb  6  2014 pw_dict.pwd
 
-rw-r--r--. 1 system_u:object_r:crack_db_t:s0  root root  460232 Feb  6  2014 pw_dict.pwi

The policy appears to work:

[ec2-user@ip-172-30-0-249 cracklib_selinux]$ getenforce
 
Enforcing
 
[ec2-user@ip-172-30-0-249 cracklib_selinux]$ mysql -u root
 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
 
Your MariaDB connection id is 4
 
Server version: 10.1.37-MariaDB MariaDB Server
 
 
 
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
 
 
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
 
 
MariaDB [(none)]> INSTALL SONAME 'cracklib_password_check';
 
Query OK, 0 rows affected (0.00 sec)
 
 
 
MariaDB [(none)]> SHOW GLOBAL VARIABLES LIKE 'cracklib_password_check_dictionary';
 
+------------------------------------+-----------------------------+
 
| Variable_name                      | Value                       |
 
+------------------------------------+-----------------------------+
 
| cracklib_password_check_dictionary | /usr/share/cracklib/pw_dict |
 
+------------------------------------+-----------------------------+
 
1 row in set (0.00 sec)
 
 
 
MariaDB [(none)]> CREATE USER 'alice'@'localhost' IDENTIFIED BY 'asdf15692';
 
Query OK, 0 rows affected (0.03 sec)
 
 
 
MariaDB [(none)]> CREATE USER 'bob'@'localhost' IDENTIFIED BY 'password';
 
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
 
MariaDB [(none)]> SHOW WARNINGS;
 
+---------+------+----------------------------------------------------------------+
 
| Level   | Code | Message                                                        |
 
+---------+------+----------------------------------------------------------------+
 
| Warning | 1819 | cracklib: it is based on a dictionary word                     |
 
| Error   | 1819 | Your password does not satisfy the current policy requirements |
 
| Error   | 1396 | Operation CREATE USER failed for 'bob'@'localhost'             |
 
+---------+------+----------------------------------------------------------------+
 
3 rows in set (0.00 sec)



 Comments   
Comment by Geoff Montee (Inactive) [ 2019-01-25 ]

I wanted to see if I could implement this change for RPMs, so I submitted a pull request:

https://github.com/MariaDB/server/pull/1131

It seems to work. The SELinux policy is there, and the post-install script loads it:

[ec2-user@ip-172-30-0-32 ~]$ rpm -q MariaDB-cracklib-password-check --list
 
/etc/my.cnf.d
 
/etc/my.cnf.d/cracklib_password_check.cnf
 
/usr/lib64/mysql
 
/usr/lib64/mysql/plugin
 
/usr/lib64/mysql/plugin/cracklib_password_check.so
 
/usr/share/mysql
 
/usr/share/mysql/policy
 
/usr/share/mysql/policy/selinux
 
/usr/share/mysql/policy/selinux/mariadb-plugin-cracklib-password-check.pp
 
/usr/share/mysql/policy/selinux/mariadb-plugin-cracklib-password-check.te
 
[ec2-user@ip-172-30-0-32 ~]$ rpm -q MariaDB-cracklib-password-check --scripts
 
preinstall program: /bin/sh
 
postinstall scriptlet (using /bin/sh):
 
SETARGETDIR=/etc/selinux/targeted/src/policy
 
SEDOMPROG=$SETARGETDIR/domains/program
 
SECONPROG=$SETARGETDIR/file_contexts/program
 
 
 
if [ -x /usr/sbin/semodule ] ; then
 
  /usr/sbin/semodule -i /usr/share/mysql/policy/selinux/mariadb-plugin-cracklib-password-check.pp
 
fi
 
preuninstall program: /bin/sh
 
postuninstall program: /bin/sh

And MariaDB is able to use CrackLib without any issues:

[ec2-user@ip-172-30-0-32 ~]$ mysql -u root
 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
 
Your MariaDB connection id is 4
 
Server version: 10.1.37-MariaDB MariaDB Server
 
 
 
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
 
 
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
 
 
MariaDB [(none)]> INSTALL SONAME 'cracklib_password_check';
 
Query OK, 0 rows affected (0.01 sec)
 
 
 
MariaDB [(none)]> CREATE USER 'alice'@'localhost' IDENTIFIED BY 'asdf15692';
 
Query OK, 0 rows affected (0.03 sec)
 
 
 
MariaDB [(none)]> CREATE USER 'bob'@'localhost' IDENTIFIED BY 'password';
 
ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
 
MariaDB [(none)]> show warnings;
 
+---------+------+----------------------------------------------------------------+
 
| Level   | Code | Message                                                        |
 
+---------+------+----------------------------------------------------------------+
 
| Warning | 1819 | cracklib: it is based on a dictionary word                     |
 
| Error   | 1819 | Your password does not satisfy the current policy requirements |
 
| Error   | 1396 | Operation CREATE USER failed for 'bob'@'localhost'             |
 
+---------+------+----------------------------------------------------------------+
 
3 rows in set (0.00 sec)
 
 
 
MariaDB [(none)]> SHOW GLOBAL VARIABLES LIKE 'cracklib_password_check_dictionary';
 
+------------------------------------+-----------------------------+
 
| Variable_name                      | Value                       |
 
+------------------------------------+-----------------------------+
 
| cracklib_password_check_dictionary | /usr/share/cracklib/pw_dict |
 
+------------------------------------+-----------------------------+
 
1 row in set (0.00 sec)

Comment by Elena Stepanova [ 2022-03-12 ]

I can still reproduce the described problem with cracklib plugin, but only with 10.2-10.4 on RHEL-7/CentOS-7.
That is, it's not reproducible on RHEL/CentOS-7 with 10.5+, even though the contents of /usr/share/mysql/policy/selinux/ seems to be identical with for 10.5 vs 10.4.
And it isn't reproducible on RHEL/Rocky-8 at all, even with 10.2-10.4.

On RHEL-7 with 10.2-10.4, the policy Geoff suggested makes the problem go away, but I'm wondering if anyone knows what causes the difference between server and system versions.

Generated at Thu Feb 08 08:43:37 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.