pam-selinux update to 1.4.0-1 and a resulting GPG keyserver issue fix

[tqre]

Pam-selinux failed to build, so updated pam-selinux package to new version, which now builds and installs succesfully. The new GPG key that was used to sign updated pam-selinux was not found from the keyserver defined in recv_gpg_keys.sh. Changed the keyserver in said script to point to OpenPGP Keyserver to cover more ground.

[fishilico]

On my test system, upgrading pam-selinux breaks authentication, either with lightdm or with the TTY. I managed to recover access to my system by booting from another boot device and installing pam-selinux 1.3, so this is bad.

The logs in journalctl contains:

Jul 29 21:29:54 test systemd[1]: Starting User Manager for UID 620...
Jul 29 21:29:54 test systemd[715]: PAM unable to dlopen(/usr/lib/security/pam_tally2.so): /usr/lib/security/pam_tally2.so: cannot open shared object file: No such file or directory
Jul 29 21:29:54 test systemd[715]: PAM adding faulty module: /usr/lib/security/pam_tally2.so
Jul 29 21:29:54 test audit[715]: USER_ACCT pid=715 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t msg='op=PAM:accounting grantors=? acct="lightdm" exe="/usr/lib/syst>
Jul 29 21:29:54 test systemd[715]: PAM failed: Module is unknown
Jul 29 21:29:54 test systemd[715]: user@620.service: Failed to set up PAM session: Operation not permitted
Jul 29 21:29:54 test systemd[715]: user@620.service: Failed at step PAM spawning /usr/lib/systemd/systemd: Operation not permitted
Jul 29 21:29:54 test systemd[1]: user@620.service: Main process exited, code=exited, status=224/PAM
Jul 29 21:29:54 test systemd[1]: user@620.service: Failed with result 'exit-code'.

Did you also encounter this issue?

[fishilico]

For the GPG server update: I got errors with hkps://hkps.pool.sks-keyservers.net and indeed it seems that HKPS no longer "works out of the box" on Arch Linux. That's a pity, but I can live with unencrypted PGP key synchronizations. So I cherry-picked your commit in https://github.com/archlinuxhardened/selinux/commit/48b01249896940f99446156438ba81c440e1f484. Thanks!

For people who build packages offline, I synchronized the key in _pgp_cache without waiting for pam-selinux to be updated (commit https://github.com/archlinuxhardened/selinux/commit/c89694a89770f3f16de19eb317486c928ba5638d).

[tqre]

Nice that it helped. I'm testing this soonish, had to refine the test process as resources on the VM were not sufficient. Also some speedups with local package caches as they are not complete mirrors.

I still have to implement the policies, but I'll use the PKGBUILD you provided in issue #37

[tqre]

Login is broken for me too, with pretty much the same errors. I have no desktop installed on the test machine yet. I'll take a look at the relevant https://bugs.archlinux.org/task/67347

Jul 29 21:17:20 selinux login[432]: PAM unable to dlopen(/usr/lib/security/pam_tally2.so): /usr/lib/security/pam_tally2.so: cannot open shared object file: No such file or directory
Jul 29 21:17:20 selinux login[432]: PAM adding faulty module: /usr/lib/security/pam_tally2.so
Jul 29 21:17:21 selinux audit[432]: USER_AUTH pid=432 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t msg='op=PAM:authentication grantors=? acct="tqre" exe="/usr/bin/login" host
name=selinux addr=? terminal=tty1 res=failed'
Jul 29 21:17:21 selinux kernel: audit: type=1100 audit(1596057441.773:38): pid=432 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t msg='op=PAM:authentication grantors=? acct="tq
re" exe="/usr/bin/login" hostname=selinux addr=? terminal=tty1 res=failed'
Jul 29 21:17:23 selinux login[432]: FAILED LOGIN SESSION FROM tty1 FOR tqre, Module is unknown

[tqre]

I managed to regain login by editing /etc/pam.d/system-login

pam_tally2.so is replaced with pam_faillock.soon the new pam-selinux version. It looks like the issue is solved with pambase package, which is being worked on. Replacing the 2 instances of pam_tally2.so. Also removed the onerr= and log file definitions for now.

#%PAM-1.0

auth       required   pam_faillock.so
auth       required   pam_shells.so
auth       requisite  pam_nologin.so
auth       include    system-auth

account    required   pam_faillock.so
account    required   pam_access.so
account    required   pam_nologin.so
account    include    system-auth
...

I'm seeing some other errors, but I'm not sure if they relate to this one:

Jul 30 01:14:55 selinux login[531]: pam_selinux(login:session): Unable to get valid context for tqre

[tqre]

So the valid context got righted after I ran the rest of the installation steps as instructed by ArchWiki. Somehow I thought installation was finished even if it wasn't.

System runs fine without erros now:

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             refpolicy-arch
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              disabled
Policy deny_unknown status:     denied
Memory protection checking:     actual (secure)
Max kernel policy version:      32

Afaik, failed login attempts are not going anywhere with the ad-hoc faillock settings I tested with. More on that matter in man pages: https://linux.die.net/man/8/pam_faillock