On Feb 14, 2014, at 9:34 PM, Kayse, Josh <[email protected]> wrote:
> > On Feb 11, 2014, at 11:17 PM, Shawn Wells <[email protected]> wrote: > >> On 2/11/14, 10:49 PM, Kayse, Josh wrote: >>> >>> On Feb 7, 2014, at 7:56 PM, Trevor Vaughan <[email protected]> wrote: >>> >>>> Josh, >>>> >>>> I haven't seen this happening. >>>> >>>> Do you happen to have a cron job that is trying to do something with sudo >>>> or su? >>>> >>>> Trevor >>>> >>> >>> Unfortunately I don’t. Could you post your /etc/pam.d/cron file? >>> >> >> $ cat /etc/pam.d/crond >> # >> # The PAM configuration file for the cron daemon >> # >> # >> # No PAM authentication called, auth modules not needed >> account required pam_access.so >> account include password-auth >> session required pam_loginuid.so >> session include password-auth >> auth include password-auth >> _______________________________________________ >> scap-security-guide mailing list >> [email protected] >> https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > I figured out why cron stopped working for me. If you disable the unconfined > module it stops working. So I’ll open a bugzilla for that. > > 1. semodule -d unconfineduser unconfined > > Actual results: > cron stops working with the following log and AVC generated > Feb 14 18:27:01 localhost crond[2673]: (root) FAILED to open PAM security > session (Error in service module) > Feb 14 18:27:01 (null) (null): audit(1392431221.248:729): avc: denied { read > write } for pid=2673 comm=crond name=lastlog ino=666024 dev=sda2 > scontext=system_u:system_r:crond_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:lastlog_t:s0 tclass=file > > Thanks for all the help. > > -josh One last comment, if I apply this patch then cron works even with unconfined disabled/removed. --- password-auth-local 2014-02-16 13:27:46.805584897 -0500 +++ password-auth-local.cron 2014-02-15 21:03:42.100619845 -0500 @@ -24,7 +24,7 @@ password required pam_cracklib.s password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=24 password required pam_deny.so -session required pam_lastlog.so showfailed +session optional pam_lastlog.so showfailed session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid Perhaps the SSG can be updated to utilize this line. I believe changing required to optional is an acceptable action because it is only used for displaying failed logins. If a user were to fail to access the lastlog file they would fail during a previous service type like auth or account. Thanks, -josh
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
